Description of problem: On RHS system installed from the ISO, the hash algorithm used for user passwords is the very strong 'SHA512', while for an RHS system installed over the network, from RH Satellite, the hash algorithm would be the default MD5, which is much weaker. --------------------------------------- On RHS system installed from ISO: # grep root /etc/shadow root:$6$P.DzwYQwoIWEFbAv$7mwZAdv2g.Jam1VdMQliAaekH3jODNi3GlopreQ8VMBnJBFLf1q20rSiild5egNizm0y35GgylSGivKXWAHdL.:15922:0:99999:7::: On RHS system installed over the network: # grep root /etc/shadow root:$1$i9WfbnLH$fi8ikP4SdQMFuRSTz1Jl8.:15923:0:99999:7::: Note: $6$ indicates SHA512, and $1$ indicates MD5 --------------------------------------- On the ISO installed system, the stronger password is set by the following kickstart directive in the ks.cfg file, in the initrd. --------------------------------------- authconfig --enableshadow --passalgo=sha512 --------------------------------------- Equal setting should be ensured for RHS systems, installed over the network, from RH Satellite. Version-Release number of selected component (if applicable): RHS 2.1 Actual results: RHS systems, installed over the network, from RH Satellite, use the MD5 hash algorithm for user passwords, which is much weaker than the SHA512 hash algorithm used in RHS systems installed through the ISO. Expected results: The RHS systems should use the same hash algorithm for user password, preferably the stronger one, regardless of mode of install. Additional info:
This seems like a RHEL bug (why hasn't the default changed to at least sha1 or sha256?) if anything; mostly I would expect someone doing a network install to configure this themselves though. I'd recommend noting this in the install guide at most.
Agree with what Aj is saying.
(In reply to Anthony Towns from comment #1) > This seems like a RHEL bug (why hasn't the default changed to at least sha1 > or sha256?) if anything; mostly I would expect someone doing a network > install to configure this themselves though. I'd recommend noting this in > the install guide at most. Looks like this is not a RHEL bug . RHEL 6.4 now by default, sets the very strong 'SHA512' as hash algorithm for user password. --------------------------------------------------------------------------- # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) # grep root /etc/shadow root:$6$2ZsCr4oCmlUF6sb.$r2bELcCsINYj7TMkz/ys/YhqOhPlIUnmGDP9rfeW86MxvRoXK1lkUUfObEX4Df44QI2.CoGW0u1RV1b7eNQDk.:15929:0:99999:7::: --------------------------------------------------------------------------- This looks more of a RH Satellite server bug, which sets the following by default in the kickstart file, thereby setting the hash algorithm to MD5 on the end system. --------------------------------------------------------------------------- auth --enablemd5 --enableshadow --------------------------------------------------------------------------- A quick search did not reveal any BZ open on this for RH Satellite. I will search further for it, and if not found, will open a new BZ on it. Proposed Solution ----------------- 1) So I believe that we need to document that, for RH Satellite based RHS installs, while creating the Kickstart Profile, the 'auth' field in the Kickstart Profile' at 'Kickstart Details-->Advanced Options' is recommended to be set to the one given below. --------------------------------------------------------------------------- --enableshadow --passalgo=sha512 --------------------------------------------------------------------------- This will set the following directive in the kickstart file, thereby ensuring that the RHS system installed off this kickstart file will have as default, the very strong 'SHA512' as hash algorithm for user password --------------------------------------------------------------------------- auth --enableshadow --passalgo=sha512 --------------------------------------------------------------------------- 2) But there will still be an issue for the root password, which is being set directly using MD5 hash algorithm by default, in the Kickstart Profile, and thereby in the Kickstart file. Possibly case for another RH Satellite BZ ? So we may also need to document that, for RH Satellite based RHS installs, it is recommended that, the root password may either be reset after RHS installation, or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile. Sayan and AJ, comments ?
(In reply to Rejy M Cyriac from comment #4) > This looks more of a RH Satellite server bug, which sets the following by > default in the kickstart file, thereby setting the hash algorithm to MD5 on > the end system. > auth --enablemd5 --enableshadow Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? https://access.redhat.com/site/solutions/31832 https://bugzilla.redhat.com/show_bug.cgi?id=879332
(In reply to Anthony Towns from comment #5) > (In reply to Rejy M Cyriac from comment #4) > > This looks more of a RH Satellite server bug, which sets the following by > > default in the kickstart file, thereby setting the hash algorithm to MD5 on > > the end system. > > auth --enablemd5 --enableshadow > > Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? > > https://access.redhat.com/site/solutions/31832 > https://bugzilla.redhat.com/show_bug.cgi?id=879332 It appears that the BZ fixed a bug that caused a rehash to MD5, of the pre-prepared SHA512 password supplied using the API 'kickstart.profile.setAdvancedOptions' If you have a look at https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8 that explains the fix in a nutshell as : ------------------------------------------------------- verified that kickstart.profile.setAdvancedOptions: * won't rehash supplied password (supplied in "rootpw") if "md5_crypt_rootpw" is not set to value that can be converted to java Boolean. * will rehash supplied password if md5_crypt_rootpw is set to e.g. "True". ------------------------------------------------------- It looks like the default of MD5 hash was not changed, so as not to break support for pre-RHEL 6 systems installs.
(In reply to Rejy M Cyriac from comment #6) > (In reply to Anthony Towns from comment #5) > > (In reply to Rejy M Cyriac from comment #4) > > > This looks more of a RH Satellite server bug, which sets the following by > > > default in the kickstart file, thereby setting the hash algorithm to MD5 on > > > the end system. > > > auth --enablemd5 --enableshadow > > > > Aha, good catch. This looks like it's already fixed in Satellite 5.5 though? > > > > https://access.redhat.com/site/solutions/31832 > > https://bugzilla.redhat.com/show_bug.cgi?id=879332 > > It appears that the BZ fixed a bug that caused a rehash to MD5, of the > pre-prepared SHA512 password supplied using the API > 'kickstart.profile.setAdvancedOptions' > > If you have a look at > > https://bugzilla.redhat.com/show_bug.cgi?id=879332#c8 > > that explains the fix in a nutshell as : > > ------------------------------------------------------- > > verified that kickstart.profile.setAdvancedOptions: > > * won't rehash supplied password (supplied in "rootpw") > if "md5_crypt_rootpw" is not set to value that can be > converted to java Boolean. > * will rehash supplied password if md5_crypt_rootpw is > set to e.g. "True". > > ------------------------------------------------------- > > It looks like the default of MD5 hash was not changed, so as not to break > support for pre-RHEL 6 systems installs. And it is because of the existence of the fix that we are able to do the second part of Step 2 in my proposed solution in Comment 4 - "...or the SHA512 hash algorithm based pre-prepared root password be put into the 'rootpw' field at 'Kickstart Details-->Advanced Options' of the Kickstart Profile."
Hi Rejy, Based on our discussion, the information is added as "Important" in section 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart Profile". http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf
(In reply to Bhavana from comment #8) > Hi Rejy, > > Based on our discussion, the information is added as "Important" in section > 4.3 Installing from Red Hat Satellite server, under "Creating a Kickstart > Profile". > > http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/ > 2.1/pdf/Installation_Guide/Red_Hat_Storage-2.1-Installation_Guide-en-US.pdf Not able to access the provided URL. Hosting server seems to be not reachable. If issue is not immediately resolvable, please attach relevant part of document to this BZ for verification. Cheers, rejy (rmc)
Hi Rejy, The staging server is now up. http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Storage/2.1/html/Installation_Guide/sect-Installation_Guide-Install_RHS-from_Satellite_server.html Thanks, Bhavana
Looks good, verified.
This doc bug was fixed and verified against Red Hat Storage 2.1 enhancement and bug fix update (https://rhn.redhat.com/errata/RHBA-2013-1262.html) released 2013-09-16. Moving bug to CLOSED - CURRENT RELEASE.