Bug 977732 - in 19 Final text install, ordinary user password in kickstart file is unencrypted
Summary: in 19 Final text install, ordinary user password in kickstart file is unencry...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 20
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Samantha N. Bueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-25 08:40 UTC by Andre Robatino
Modified: 2013-11-09 18:43 UTC (History)
12 users (show)

Fixed In Version: anaconda-20.20-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1012028 (view as bug list)
Environment:
Last Closed: 2013-11-09 18:43:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1015220 0 unspecified CLOSED can't log in as ordinary user after text install unless under user spoke, password field is last one filled out 2021-02-22 00:41:40 UTC

Internal Links: 1015220

Description Andre Robatino 2013-06-25 08:40:10 UTC
Description of problem:
Doing a minimal text install from the 19 Final RC1 DVD (either i386 or x86_64), during which I set an ordinary user password, it appears in plaintext in the kickstart file. When I did a minimal GUI install in the same way, it is encrypted. A root password is always encrypted regardless of install method. This is the first compose where I looked at the kickstart file, so I don't know when this problem started.

Version-Release number of selected component (if applicable):
anaconda-19.30.11-1

How reproducible:
always

Comment 1 Kamil Páral 2013-06-25 08:56:38 UTC
Reproduced. Root pw encrypted, user pw unencrypted. Text mode.

Comment 2 Andre Robatino 2013-06-25 09:04:56 UTC
The same happens with 19 Final TC6 and with 19 Beta Gold.

Comment 3 Adam Williamson 2013-06-25 16:09:04 UTC
This has very likely always been the case, we only started encrypting the root password specifically a few releases back after a big argument. I'm less worried about a user password, really. Anyone else particularly concerned about this?

Comment 4 Samantha N. Bueno 2013-06-25 17:27:28 UTC
I don't see a good reason _not_ to encrypt a password, normal user or not. It's also not exactly difficult to do. That said, I'm ok with just fixing this in master branch, not f19-branch.

Comment 5 Adam Williamson 2013-06-25 17:28:59 UTC
Samantha: I can't find the bug for the root password offhand, and I don't exactly remember what the argument against encrypting it was.

Comment 6 Steve Tyler 2013-07-06 02:18:49 UTC
The user password should always be encrypted, because if the user is an administrator (in group "wheel"), the user can become root by running "sudo su" and entering the user password.

Also, some people use the same password or similar passwords for the root and user accounts, so knowing one gives attackers the other. If both passwords are encrypted, the encrypted passwords will be different, so neither can be used to get the other.

Verified with F19 Final.

Comment 7 Steve Tyler 2013-07-06 02:43:08 UTC
Thanks for catching this, Andre.

This bug should probably have the "Security" keyword.

Comment 8 Andre Robatino 2013-07-06 06:11:29 UTC
It's pretty clearly an oversight, given that a GUI install encrypts the user password and only a text install doesn't.

Comment 9 Fedora End Of Life 2013-09-16 16:44:22 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20

Comment 10 Samantha N. Bueno 2013-09-20 18:50:04 UTC
Patch posted for review.

Comment 11 Samantha N. Bueno 2013-09-25 15:02:20 UTC
Patch pushed, commit 64609a7f42a762741fadef1d3ead11d231593f7f in master.

Comment 12 Fedora Update System 2013-09-25 16:03:02 UTC
anaconda-20.20-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/anaconda-20.20-1.fc20

Comment 13 Fedora Update System 2013-09-27 00:31:02 UTC
Package anaconda-20.20-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-20.20-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17681/anaconda-20.20-1.fc20
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2013-09-28 01:16:14 UTC
anaconda-20.21-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/anaconda-20.21-1.fc20

Comment 15 Andre Robatino 2013-10-03 09:46:23 UTC
After doing text installs with 20 Beta TC1 (anaconda 20.21-1) I cannot log in with my ordinary user account, even though anaconda-ks.cfg shows an encrypted user password. The root password works fine. After installation, I can use the passwd command to change the user password to the same password I chose during install, and am then able to log in.

Comment 16 Kamil Páral 2013-10-03 12:04:29 UTC
Andre, that would probably be a blocker. Could you report it as a separate bug and propose it as a Beta blocker (put this bug number into See Also)? Thanks a lot.

Comment 17 Andre Robatino 2013-10-14 08:54:24 UTC
After a minimal text install from the 20 Beta TC2 x86_64 DVD, both root and user passwords are encrypted, and I can log in with either account.

Comment 18 Andre Robatino 2013-11-09 18:43:11 UTC
Closing as this works fine in 20 Beta RC5 (Gold) and anaconda-20.25.6-1 has been pushed stable.


Note You need to log in before you can comment on or make changes to this bug.