[linux-security] Re: MD5 passwords in Red Hat Linux 6.1

[Eugene Morozov <jmv lucifer dorms spbu ru>]

"Michael H. Warfield" <mhw wittsend com> writes:

> On Sat, Oct 30, 1999 at 03:39:05PM +0400, Eugene Morozov wrote:
> > Hello,
> > Recently I realized that entering first 8 characters from my root
> > password is enough to log in as root although I've enabled MD5
> > passwords in installation program.  Also I've added two other users
> > during installation.  After looking through /etc/shadow it seems that
> > root's password isn't md5 although passwords of other two users are
> > md5.
> > Is it correct behaviour?
> 
> 	It might be...  It depends on what order you did things.
> 
> 	If you switched to md5 hashes after you last changed the root
> password, the root password hashes are still going to be what they
> where before switching to md5.  The reason is that there is no conversion
> of the hashes from DES to md5.  There can't be, since the two are not
> algorithmicly related and are both one-way hashing functions.  If you
> changed the root password (even if it was to change it to the same
> thing) after switching to md5 hashes you should then have md5 hashes
> in /etc/shadow.
I've created root account and other two accounts during installation,
so the problem is that root password isn't md5 and other two passwords 
are md5 although they were created simultaneously.
> 
> 	The pam modules recognize which style has is in use for a give
> user so they recognize older DES hashes even if md5 is enabled.  That
> would be necessary to avoid forcing everyone on the system to change
> their password when the hash style got changed.
Yes, I know, I think it recognizes md5 passwords by string '$1$' that
you must prepend to salt for crypt function (info libc "Cryptographic
Functions" crypt, because man page for crypt(3) is outdated) if you
want to use md5 hash.
> 
> 	The root password hash on my system is in md5.
> 
> 	Try the following...
> 
> 	Change the root password to the same value (or from it's shorter
> 8 character value to its longer value).  If the hash in /etc/shadow is
> corrected to an md5 hash, you're done.  If it's still a DES hash and it's
> different than the original hash, I would be amazed.  If the hash was not
> changed at all, then the PAM libs are smarter than they're good for and
> realized that you didn't really change the password (but you did, it's
> longer) and left the hash alone.  I would call that a bug.
> 
> 	If you didn't get md5 hashes from that, try this...  Change the
> root password to a different value and then change it back.  The hash in
> /etc/shadow really REALLY should be an md5 hash.
> 
> 	Let me know the results either way...  :-)
I've changed root password and now it is stored as md5 in
/etc/shadow.  I think there's a bug in Red Hat installer. 
Eugene

-- 
Email: <jmv @ lucifer dorms spbu ru>  Homepage: http://lucifer.dorms.spbu.ru
To get my public key: `mail -s PGP jmv @ lucifer dorms spbu ru < /dev/null'