Red Hat Bugzilla – Bug 50808
ksconfig stores plaintext root password
Last modified: 2008-05-01 11:38:00 EDT
Description of Problem:
Kickstart uses unencrypted passwords
Follow the instructions in "The Official Red Hat Linux Customization
Guide", section 2.5.
Steps to Reproduce:
1. start ksconfig
2. type in your root password in the space provided
3. be sure md5 passwords is checked (mainly to get a false sense of security)
4. save the file
The plain text root password is stored in the kickstart file.
If I selected md5 passwords, I would have expected that ksconfig would
store an md5 password and kickstart would just put that already hashed
password into /etc/shadow.
This feature makes the ks.cfg file a very valuable file to people that
would like to do harm. If it is accessible via FTP, HTTP, or NFS your
root password is rather trivially accessible.
I changed ksconfig to always write out an encrypted root password. Fixed in cvs.