20342 – Use SHA-512 instead of blowfish as the default password encryption for the root and user accounts on install

Bug 20342 - Use SHA-512 instead of blowfish as the default password encryption for the root and user accounts on install

Summary: Use SHA-512 instead of blowfish as the default password encryption for the ro...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Installer (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	Mageia 6
Assignee:	Frédéric "LpSolit" Buclin
QA Contact:

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2017-02-24 02:27 CET by Frédéric "LpSolit" Buclin
Modified:	2017-02-25 08:41 CET (History)
CC List:	5 users (show)

See Also:	20344
Source RPM:
CVE:
Status comment:

Attachments
fix default password encryption, v1 (1.42 KB, patch) 2017-02-24 02:31 CET, Frédéric "LpSolit" Buclin	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Frédéric "LpSolit" Buclin 2017-02-24 02:27:42 CET

The installer uses blowfish to hash passwords in /etc/shadow, but subsequent user account creation with drakuser uses SHA-512 as specified in /etc/libuser.conf, see bug 16467:

crypt_style = sha512

For consistency, the installer should use SHA-512 too instead of blowfish.

Comment 1 Frédéric "LpSolit" Buclin 2017-02-24 02:31:19 CET

Created attachment 8984 [details]
fix default password encryption, v1

Here is the patch, which fixes install2.pm.

Comment 2 Frédéric "LpSolit" Buclin 2017-02-24 02:32:15 CET

Thierry: could you have a look at this patch, please?

CC: (none) => thierry.vignaud

Comment 3 Thierry Vignaud 2017-02-24 08:53:39 CET

CCing Pascal which did the original work:
http://gitweb.mageia.org/software/drakx/commit/?id=c0529b4c5858300c0bd9c94fd35540e1f105dfd6

Keywords: (none) => PATCH
CC: (none) => pterjan

Comment 4 Nicolas Lécureuil 2017-02-24 10:42:58 CET

sound good for me and more coherent with pascal previous changes.

CC: (none) => mageia

Marja Van Waes 2017-02-24 20:00:03 CET

CC: (none) => mageiatools, marja11

Marja Van Waes 2017-02-24 20:01:01 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=20344

Comment 5 Mageia Robot 2017-02-25 08:40:55 CET

commit 67d8f423c623740a1118b80d2c5e4489d432cc26
Author: Frédéric Buclin <LpSolit@...>
Date:   Sat Feb 25 07:55:40 2017 +0100

    use SHA-512 instead of blowfish
    
    as the default password encryption (mga#20342)
    
    thus completing commit c0529b4c5858300c0bd9c94fd35540e1f105dfd6
---
 Commit Link:
   http://gitweb.mageia.org/software/drakx/commit/?id=67d8f423c623740a1118b80d2c5e4489d432cc26

Comment 6 Thierry Vignaud 2017-02-25 08:41:17 CET

Closing

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.