[Pkg-shadow-devel] Bug#447747: Bug#447747: Bug#447747: chpasswd default hash algorithm

Christian Perrier bubulle at debian.org
Wed Oct 24 05:23:40 UTC 2007

Quoting Margarita Manterola (margamanterola at gmail.com):
> Hi!
> On 10/23/07, Christian Perrier <bubulle at debian.org> wrote:
> > Quoting Matias Soler (gnuler at gmail.com):
> > > Package: passwd
> > > Version: 1:
> > > Severity: wishlist
> > >
> > > It would be desirable to default chpasswd hash algorithm to MD5 instead of
> > > DES.
> > Well, we might need a pretty strong rationale to consider a change
> > that would break the "no surprise" principle.
> Well, it depends on which the surprise is.  I find it quite surprising
> that in 2007 using chpasswd in Debian leads to passwords being

s/in Debian/in all distros that use chpasswd

That's one of the points.

> truncated at 8 characters.  I thought this was OLD history.
> > Changing the default behaviour of the utility would be likely to break
> > existing setups that use chpasswd.
> Would something really break?  The passwords would be as long as the
> user actually typed them, but only after changing the password, and
> only if you used a longer-than-8-characters-long password but then
> typed the first 8 characters.
> What real scenario is there for something breaking?

All users who have custom scripts based on chpasswd and relying on the
fact that generated passwords are DES ones. If we suddenly change the
default behaviour of chpasswd to generated MD5 hashes, then we might
break their systems if they are not MD5-ready.

I don't know if this is a corner case but this is certainly somethign
we might want to  triple-check before changing the default behaviour
of that command.

Moreover, I wouldn't like to change the default in Debian only. We
have worked enough to remove all Debian-specific stuff in shadow and
it would be sad to go one step back.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20071024/6bae66bf/attachment.pgp 

More information about the Pkg-shadow-devel mailing list