Bug 6711 - chpasswd doesn't do MD5 passwords
Summary: chpasswd doesn't do MD5 passwords
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: shadow-utils
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Eido Inoue
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-04 09:03 UTC by tom
Modified: 2007-04-18 16:24 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-09-16 22:16:57 UTC


Attachments (Terms of Use)

Description tom 1999-11-04 09:03:50 UTC
When MD5 passwords have been enabled, chpasswd doesn't
detect this and keeps making normal DES 8 character one.

[root@newblack /root]# useradd testuser
[root@newblack /root]# passwd testuser
Changing password for user testuser
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfuly
[root@newblack /root]# grep testuser /etc/shadow
testuser:$1$A.TWky7$K6CQwzI2gBESw13SlaWBd0:10899:0:99999:7:-
1:-1:1345345
[root@newblack /root]# chpasswd
testuser:somepass
[root@newblack /root]# !grep
grep testuser /etc/shadow
testuser:0wuPb0XucJRXA:10899:0:99999:7:::13435344
[root@newblack /root]# userdel testuser

Comment 1 Stephen John Smoogen 2000-04-25 20:45:59 UTC
most of shadow utils doesnt deal with MD5 passwds
usermod -p
useradd -p
etc

In these cases it only imports the first 8 characters of the string

Comment 2 Preston Brown 2000-07-13 19:06:56 UTC
nalin: looks like these need PAM-ification.  You own shadow-utils now. :(

Comment 3 Stephen John Smoogen 2003-01-24 18:54:02 UTC
Bug still exists in Red Hat Linux 8.0. Pretty sure it is in Phoebe also.

Comment 4 Per Steinar Iversen 2003-08-29 13:14:50 UTC
This bug is still not resolved in RedHat 9 or even in the Severn beta. Yet a
simple fix exists that works on RedHat 9 or Severn at least: Modify
/etc/login.defs to contain this line:

MD5_CRYPT_ENAB  yes

Please add this line when MD5 passwords are selected, it should be a trivial fix
and improves password security.


Note You need to log in before you can comment on or make changes to this bug.