Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#43299 - [shadow] new pwds are encrypted with the old DES algorithm, when set after the old pwd is expired
Attached to Project:
Arch Linux
Opened by Yury Makarevich (Yury) - Thursday, 01 January 2015, 18:30 GMT
Last edited by Dave Reisner (falconindy) - Sunday, 04 January 2015, 17:29 GMT
Opened by Yury Makarevich (Yury) - Thursday, 01 January 2015, 18:30 GMT
Last edited by Dave Reisner (falconindy) - Sunday, 04 January 2015, 17:29 GMT
|
DetailsDescription:
Not sure if upstream or the configuration problem, but... When a user's password expires (e.g. via `passwd -e') and the user logs in via getty, the login program forces the user to set a new password. The new pwd, however, gets encrypted with the old DES algorithm [1], which is relatively weak and "degrades" user experience (e.g. see [2]). (The most typical manifestation of the password encryption with DES is that it accounts only the first 8 chars of the password string.) [1] See `man 3 crypt' [2] https://bbs.archlinux.org/viewtopic.php?pid=1317527 Additional info: * package version(s): util-linux 2.25.2-1, pam 1.1.8-5 Steps to reproduce: 1. Install a vanilla arch-linux (as per the `installation' wiki page). 2. Run `pacman -Syyu'. 3. Boot the system and login as `root'. 4. Run `passwd -e root'. 5. Logout and then re-login via getty (i.e. no display manager or the like). 6. When prompted for a new password, type a password that is longer than 8 chars. 7. Re-login as root again. * Note that this time you can use virtually any password that has the proper first 8 chars; the rest of the chars are simply ignored. * You can also examine `/etc/shadow' --- the root password field should contain something like "1YbkxsnxAz22w" as opposed to something like "$6$D63fw.tv$QCUtcCcZuCJvT25fH33K...". (The former indicates the DES algorithm, while the latter is a much stronger SHA-512; see also `crypt(3)'.) |
This task depends upon
Closed by Dave Reisner (falconindy)
Sunday, 04 January 2015, 17:29 GMT
Reason for closing: Fixed
Additional comments about closing: rehashing issue fixed by shadow-4.2.1-2
Sunday, 04 January 2015, 17:29 GMT
Reason for closing: Fixed
Additional comments about closing: rehashing issue fixed by shadow-4.2.1-2
static void
load_defaults (void)
{
load_defaults_internal ("/etc/default/passwd");
load_defaults_internal ("/etc/login.defs");
}
Also, file `src/unix_passwd.c' at line 522 defines a function `__do_setpass', which starts with examining the logindefs and selecting the pwd encryption method (see lines 529 -- 561). Unfortunately, currently I cannot make sense of all that logic.
Hope that helps.
1. /etc/pam.d/login has no password rules, so PAM falls back to /etc/pam.d/other
2. /etc/pam.d/other has pam_unix.so for all rules. This default does not make sense to me.
So
1. /etc/pam.d/login needs a line "password include system-local-login"
2. /etc/pam.d/other should IMHO default to pam_deny.so or system-login.
BTW the pam_nologin.so line in /etc/pam.d/login is duplicated in /etc/pam.d/system-login.