Bug 1195110

Summary:	passwd uses 8 character salt, should use 16 character salt
Product:	[Fedora] Fedora	Reporter:	Chris Murphy <bugzilla>
Component:	pam	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	fkluknav, mattdm, mitr, rcyriac, tmraz, tscherf
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pam-1.3.1-13.fc28 pam-1.3.1-13.fc29	Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-12-17 02:27:23 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Murphy 2015-02-23 05:42:51 UTC

Description of problem:
Anaconda created /etc/shadow entries are created with this command
12:22:51,458 INFO program: Running... /usr/sbin/authconfig --update --nostart --enableshadow --passalgo=sha512 --enablefingerprint which results in a 16 character stal in the shadow file. Changing the password with the password command results in an 8 character salt instead.


Version-Release number of selected component (if applicable):
passwd-0.79-5.fc21.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Check /etc/shadow following Anaconda installation, it uses 16 character salt.
2. passwd <user> to change the password
3. Check /etc/shadow

Actual results:

16 character salt for that user is replaced with an 8 character salt

Expected results:

There should be a new 16 character salt replacing the old one.


Additional info:

Comment 1 Miloslav Trmač 2015-02-23 22:10:48 UTC

Thanks for your report.

This is happening in pam_unixpassverify.c:create_password_hash.

Though, really, 8 characters with 6 bits each means you would have to collect over 16 million password entries to get a >50% likelihood of having even two entries with the same salt, which seems fairly sufficient; and using the full spec maximum of 16 characters moves the 50%-likelihood value 281*10^12 entries which is obviously unnecessary.  OTOH it wouldn’t really hurt, so reassigning to PAM for consideration.

Comment 2 Fedora Update System 2018-12-02 22:41:39 UTC

pam-1.3.1-13.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1cc39ff643

Comment 3 Fedora Update System 2018-12-02 22:41:54 UTC

pam-1.3.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-fdece005fe

Comment 4 Fedora Update System 2018-12-03 02:07:51 UTC

pam-1.3.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fdece005fe

Comment 5 Fedora Update System 2018-12-03 08:27:59 UTC

pam-1.3.1-13.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1cc39ff643

Comment 6 Fedora Update System 2018-12-17 02:27:23 UTC

pam-1.3.1-13.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2018-12-17 19:11:56 UTC

pam-1.3.1-13.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.