Bug 1253051

Summary: "To create an encrypted password, you can use python" improperly & unnecessarily suggests using custom salt
Product: Red Hat Enterprise Linux 7 Reporter: Ryan Sawhill <rsawhill>
Component: doc-Installation_GuideAssignee: Petr Bokoc <pbokoc>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.1CC: ecs-bugs, pbokoc, rsawhill
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1253048 Environment:
Last Closed: 2015-11-24 16:57:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1253048    
Bug Blocks:    

Description Ryan Sawhill 2015-08-12 20:14:46 UTC 
+++ This bug was initially created as a clone of Bug #1253048 +++

Document URL: 

  https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html#sect-kickstart-commands

Section Number and Name: 

  ⁠23.3. Kickstart Syntax Reference

Describe the issue: 

  Three times on this page, you can find the following text:

    To create an encrypted password, you can use python: 
      $ python -c 'import crypt; print(crypt.crypt("My Password", "$6$My Salt"))'
    This generates a sha512 crypt of your password using your provided salt

  Note that neither passwd nor grub-crypt let you specify custom salts ... so, to be clear, it's just not done, and a potentially bad practice to encourage.

Suggestions for improvement: 

  Remove all mentions of salt. The python version we have in RHEL6 and RHEL7 auto-generates an appropriate random salt when you don't specify it. Instead, the text could read:

    To create an encrypted password, you can use python:
      $ python -c 'import crypt; print(crypt.crypt("My Password"))'
    This generates a sha512 crypt-compatible hash of your password using a random salt. 

Additional information: 

  Here's what python's crypt looks like on RHEL7:

  # python -c 'import crypt; print(crypt.crypt("My Password"))'
  $6$ixr3bNcdW5VITMgz$8HJdnbow67FK8nDke3AyX19.Q1WqyRSM9CklF5sRcsp4j6crg0Kfm3RTTOLQibtUVGrTvK/BI5oDQ96Tx0cJq.

  # python -c 'import crypt; help(crypt.crypt)'
  Help on function crypt in module crypt:
  crypt(word, salt=None)
    Return a string representing the one-way hash of a password, with a salt
    prepended.
    
    If ``salt`` is not specified or is ``None``, the strongest
    available method will be selected and a salt generated.  Otherwise,
    ``salt`` may be one of the ``crypt.METHOD_*`` values, or a string as
    returned by ``crypt.mksalt()``.
    
    Note that these are non-standard extensions to Python 2.7's crypt.crypt()
    entrypoint, backported from 3.3: the standard Python 2.7 crypt.crypt()
    entrypoint requires two strings as the parameters, and does not support
    keyword arguments.
  (END)
Comment 5 Petr Bokoc 2015-11-24 16:57:04 UTC 
Changes have been published both in the 7.2 Beta release as well as in the final 7.2 release.