[Pkg-shadow-devel] Bug#505640: Bug#505640: Bug#505640: closed by Nicolas François <nicolas.francois at centraliens.net> (Re: Bug#505640: generate hashed passwords to stdout for other tools)

Nicolas François nicolas.francois at centraliens.net
Thu Apr 9 19:24:21 UTC 2009


On Mon, Apr 06, 2009 at 12:30:49PM -0700, kees at debian.org wrote:
> On Mon, Apr 06, 2009 at 06:59:01AM +0200, Nicolas François wrote:
> > On Sun, Apr 05, 2009 at 06:03:56PM -0700, kees at debian.org wrote:
> > >
> > > While certainly true, there is still a need external to PAM, for
> > > this utility.  By this rationale, /etc/login.defs should not include
> > > ENCRYPT_METHOD or any other crypt/hash-related knowledge,
> > 
> > I'm targeting this.
> 
> What are your thoughts on how to detect what PAM has configured as the
> default hash method for pam_unix.so?

using pam_chauthtok, with a non-interactive conversation function.

I have a patch somewhere if you're interested.

> > The main functionality of a salt is randomness. I really do not see a
> > need to standardize this randomness, and the salt from mkpasswd is good
> > enough for me.
> 
> Right, my concern was the length of the salt -- it depends on the hash
> method.  However, it seems that mkpasswd handles this.  (Why is this tool
> in "whois"?!)
> 
> Speaking for randomness, I think mkpasswd is totally wrong:
>     srand(time(NULL) + getpid());
> 
> This needs to at least use /dev/urandom, or sec+usec as done in shadow.
> 
> I don't feel that mkpasswd is a viable replacement.

Those are bugs, which can be reported and fixed.

There is also a bug that it does not accept salt smaller than 16 bytes for
sha-256 and sha-512. This does not conform to
http://people.redhat.com/drepper/SHA-crypt.txt

> > I would not recommend to use the shadow tools to generate hashed password
> > for algorithm that may not be supported by the authentication system,
> > which is why I would like to move the ENCRYPT_METHOD configuration out on
> > PAM enabled systems.
> 
> Right, this is only sane for supported hashing methods, but PAM tracks
> glibc in this regard, so I'm not worried.

PAM supports more than glibc.
shadow may support more than glibc in non-PAM mode. The 2 sets may not be
identical.

Best Regards,
-- 
Nekral





More information about the Pkg-shadow-devel mailing list