Bug 2213597

Summary:	chpasswd does not use a unique salt per line entry
Product:	[Fedora] Fedora	Reporter:	Fedora Guru <alt.f9-fdg785n>
Component:	shadow-utils	Assignee:	Iker Pedrosa <ipedrosa>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	38	CC:	aboscatt, ipedrosa, jkucera, mitr, pvrabec, tm
Target Milestone:	---	Keywords:	MigratedToJIRA, Security, Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-05-22 11:21:00 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Fedora Guru 2023-06-08 16:36:10 UTC

chpasswd does not generate a unique salt for each line of input which means that the same password will result in the same hash.  Kind of defeats the purpose.

[root@fedora38]# seq -f user%02g 10 | while read x; do useradd -m $x; done
[root@fedora38]# seq -f user%02g 10 | sed -e 's/.*/&:TestSecret1/' | chpasswd 
[root@fedora38]# grep user[0-9][0-9] /etc/shadow
user01:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user02:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user03:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user04:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user05:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user06:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user07:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user08:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user09:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user10:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::


Reproducible: Always

Steps to Reproduce:
1.Create multi-line input for chpassword using different usernames and the same password
2.Observe that all the hashes are the same
3.If each line is instead fed to chpassword in separate invocations, the hashes are different
Actual Results:  
Actual results are seen above in Details.

Expected Results:  
Expected that each password, even if the same, have a unique hash output.

Should generate a separate salt for each line of input.

Comment 1 Aoife Moloney 2024-05-22 11:21:00 UTC

Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.