2213597 – chpasswd does not use a unique salt per line entry

Bug 2213597 - chpasswd does not use a unique salt per line entry

Summary: chpasswd does not use a unique salt per line entry

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shadow-utils
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Iker Pedrosa
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-08 16:36 UTC by Fedora Guru
Modified:	2024-05-22 11:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-22 11:21:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SSSD-6379	0	None	None	None	2023-06-29 13:52:33 UTC

Description Fedora Guru 2023-06-08 16:36:10 UTC

chpasswd does not generate a unique salt for each line of input which means that the same password will result in the same hash.  Kind of defeats the purpose.

[root@fedora38]# seq -f user%02g 10 | while read x; do useradd -m $x; done
[root@fedora38]# seq -f user%02g 10 | sed -e 's/.*/&:TestSecret1/' | chpasswd 
[root@fedora38]# grep user[0-9][0-9] /etc/shadow
user01:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user02:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user03:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user04:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user05:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user06:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user07:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user08:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user09:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::
user10:$y$j9T$qFRIpafBx.wKfP.K7Rx8s/$AD1RBpoDJPrdeD.yxVw5awqspL0kxUnUflIeuyUMJz6:19516:0:99999:7:::


Reproducible: Always

Steps to Reproduce:
1.Create multi-line input for chpassword using different usernames and the same password
2.Observe that all the hashes are the same
3.If each line is instead fed to chpassword in separate invocations, the hashes are different
Actual Results:  
Actual results are seen above in Details.

Expected Results:  
Expected that each password, even if the same, have a unique hash output.

Should generate a separate salt for each line of input.

Comment 1 Aoife Moloney 2024-05-22 11:21:00 UTC

Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.