[Pkg-shadow-devel] Bug#1043236: login: different encryption method is used than asked for

sz47u6+6eabsrwazv5xo at cs.email sz47u6+6eabsrwazv5xo at cs.email
Mon Aug 7 20:08:33 BST 2023 

Package: login
Version: 1:4.13+dfsg1-1+b1
Severity: normal
Tags: patch

Dear Maintainer,

/etc/login.defs contains this:

#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512

Which would make the user think that SHA512 is being used. However, in reality, it's YESCRYPT that is being used, because that is what PAM uses.

Thefore the default debian configuration does not adhere to its own advice in the file, where the values should be consistent both in /etc/login.defs and in PAM.

Patch attached to make the value in /etc/login.defs consistent with PAM.



-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages login depends on:
ii  libaudit1       1:3.0.9-1
ii  libc6           2.36-9+deb12u1
ii  libcrypt1       1:4.4.33-2
ii  libpam-modules  1.5.2-6
ii  libpam-runtime  1.5.2-6
ii  libpam0g        1.5.2-6

login recommends no packages.

login suggests no packages.

-- no debconf information
-------------- next part --------------
>From b12158ecf8c9f85a3870d5fca64335d09f339df6 Mon Sep 17 00:00:00 2001
From: Your Name <you at example.com>
Date: Mon, 7 Aug 2023 19:07:17 +0000
Subject: [PATCH] use consistent algorithm

---
 debian/login.defs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/login.defs b/debian/login.defs
index bc129779..40f8c74a 100644
--- a/debian/login.defs
+++ b/debian/login.defs
@@ -291,7 +291,7 @@ USERGROUPS_ENAB yes
 # Note: It is recommended to use a value consistent with
 # the PAM modules configuration.
 #
-ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD YESCRYPT
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-- 
2.39.2

More information about the Pkg-shadow-devel mailing list