1195110 – passwd uses 8 character salt, should use 16 character salt

Bug 1195110 - passwd uses 8 character salt, should use 16 character salt

Summary: passwd uses 8 character salt, should use 16 character salt

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-23 05:42 UTC by Chris Murphy
Modified:	2018-12-17 19:11 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pam-1.3.1-13.fc28 pam-1.3.1-13.fc29
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-17 02:27:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chris Murphy 2015-02-23 05:42:51 UTC

Description of problem:
Anaconda created /etc/shadow entries are created with this command
12:22:51,458 INFO program: Running... /usr/sbin/authconfig --update --nostart --enableshadow --passalgo=sha512 --enablefingerprint which results in a 16 character stal in the shadow file. Changing the password with the password command results in an 8 character salt instead.


Version-Release number of selected component (if applicable):
passwd-0.79-5.fc21.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Check /etc/shadow following Anaconda installation, it uses 16 character salt.
2. passwd <user> to change the password
3. Check /etc/shadow

Actual results:

16 character salt for that user is replaced with an 8 character salt

Expected results:

There should be a new 16 character salt replacing the old one.


Additional info:

Comment 1 Miloslav Trmač 2015-02-23 22:10:48 UTC

Thanks for your report.

This is happening in pam_unixpassverify.c:create_password_hash.

Though, really, 8 characters with 6 bits each means you would have to collect over 16 million password entries to get a >50% likelihood of having even two entries with the same salt, which seems fairly sufficient; and using the full spec maximum of 16 characters moves the 50%-likelihood value 281*10^12 entries which is obviously unnecessary.  OTOH it wouldn’t really hurt, so reassigning to PAM for consideration.

Comment 2 Fedora Update System 2018-12-02 22:41:39 UTC

pam-1.3.1-13.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1cc39ff643

Comment 3 Fedora Update System 2018-12-02 22:41:54 UTC

pam-1.3.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-fdece005fe

Comment 4 Fedora Update System 2018-12-03 02:07:51 UTC

pam-1.3.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fdece005fe

Comment 5 Fedora Update System 2018-12-03 08:27:59 UTC

pam-1.3.1-13.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1cc39ff643

Comment 6 Fedora Update System 2018-12-17 02:27:23 UTC

pam-1.3.1-13.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2018-12-17 19:11:56 UTC

pam-1.3.1-13.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.