george.shaffer at comcast.net
2014-Jan-09 10:36 UTC
[CentOS] Hash rounds in /etc/libuser.conf won't work
Two weeks ago I reported a problem I was having in the CentOS 5 Security Support forum. I could not get hash rounds, configured in /etc/libuser.conf, to work on CentOS release 5.10 (Final), 2.6.18-371.3.1.el5 x86_64. The details are here: https://www.centos.org/forums/viewtopic.php?f=24&t=44245&sid=975951a5a0eb264945bbf550ea076278 I read all the documentation and looked for more off the CentOS site. I searched the entire CentOS site for hash_rounds_min and hash_rounds_max, the parameters changed in libuser.conf to configure the desired changes, without a single hit in any area on either. Over 800 people have seen my post and not a single reply; not unusual in that forum for what may be an infrequent situation. I'm guessing very few people have tried these options. At the same time I changed the hashing algorithm. Hash rounds only works with sha256 or sha512. The algorithm change worked the first time. The concept of configurable hash rounds is that the administrator can adapt the the hashing process to the specific hardware on which this is being configured and on faster hardware when a system is installed late in a OSs life cycle, up the rounds to make cracking harder. If an admin is willing to make users wait 2 seconds on every login and su, then a cracker on similar hardware could only get 0.5 cracks per second. This would make even 3 character passwords that did not fall to dictionary attacks tedious, and "good" 6 character passwords would be uncrackable. Even with a fast cracking network, with multiple GPGPU enabled PCs and a mixture of compromised systems working 10,000 times faster than a single PC, good 6 character passwords would be a serious obstacle and 8 uncrackable. I need this for a paper I'm writing which maintains "After 20 Years, Windows Passwords Still Broken". I want to compare Windows' poor MD4 with no salts (this is about NT hashes, not the notoriously broken LM hashes), to Unix like with salts, choice of algorithms, and hashing cycle control. The comparison is much weaker if I have no working example for one of the 3 key pieces on the Unix side. If anyone has successfully used hash rounds controls, I'd very much like to know what you did that I missed in my detailed forum report. It's possible there is no bug. I'm basing this on the belief that 900 million to 1 billion hashing rounds with SHA512 should produce a substantial delay and not complete in a small fraction of a second. Either my knowledge is way of or my PC MUCH faster than I thought it was, or there is a bug, if I've done everything correctly according to the documentation. I looked up how to report a bug and this said to submit the report to the CentOS-qa mailing list but I cannot find such a list. Is there such a list or any bug reporting procedure? If this is a duplicate post I apologize. I sent one yesterday and never got it and it's not in the archives when messages sent latter are.
Possibly Parallel Threads
- Hash rounds in /etc/libuser.conf won't work - how to report a bug
- Password hash rounds solved - important security implications
- CEBA-2012:0455 CentOS 6 libuser FASTTRACK Update
- CEBA-2012:1144 CentOS 5 libuser FASTTRACK Update
- CESA-2011:0170 Moderate CentOS 4 x86_64 libuser - security update