Hello, Recently I realized that entering first 8 characters from my root password is enough to log in as root although I've enabled MD5 passwords in installation program. Also I've added two other users during installation. After looking through /etc/shadow it seems that root's password isn't md5 although passwords of other two users are md5. Is it correct behaviour? Eugene -- Email: <jmv @ lucifer dorms spbu ru> Homepage: http://lucifer.dorms.spbu.ru To get my public key: `mail -s PGP jmv @ lucifer dorms spbu ru < /dev/null'
Eugene Morozov
1999-Oct-30 13:58 UTC
[linux-security] Re: MD5 passwords in Red Hat Linux 6.1
"Michael H. Warfield" <mhw@wittsend.com> writes:> On Sat, Oct 30, 1999 at 03:39:05PM +0400, Eugene Morozov wrote: > > Hello, > > Recently I realized that entering first 8 characters from my root > > password is enough to log in as root although I've enabled MD5 > > passwords in installation program. Also I've added two other users > > during installation. After looking through /etc/shadow it seems that > > root's password isn't md5 although passwords of other two users are > > md5. > > Is it correct behaviour? > > It might be... It depends on what order you did things. > > If you switched to md5 hashes after you last changed the root > password, the root password hashes are still going to be what they > where before switching to md5. The reason is that there is no conversion > of the hashes from DES to md5. There can't be, since the two are not > algorithmicly related and are both one-way hashing functions. If you > changed the root password (even if it was to change it to the same > thing) after switching to md5 hashes you should then have md5 hashes > in /etc/shadow.I've created root account and other two accounts during installation, so the problem is that root password isn't md5 and other two passwords are md5 although they were created simultaneously.> > The pam modules recognize which style has is in use for a give > user so they recognize older DES hashes even if md5 is enabled. That > would be necessary to avoid forcing everyone on the system to change > their password when the hash style got changed.Yes, I know, I think it recognizes md5 passwords by string '$1$' that you must prepend to salt for crypt function (info libc "Cryptographic Functions" crypt, because man page for crypt(3) is outdated) if you want to use md5 hash.> > The root password hash on my system is in md5. > > Try the following... > > Change the root password to the same value (or from it's shorter > 8 character value to its longer value). If the hash in /etc/shadow is > corrected to an md5 hash, you're done. If it's still a DES hash and it's > different than the original hash, I would be amazed. If the hash was not > changed at all, then the PAM libs are smarter than they're good for and > realized that you didn't really change the password (but you did, it's > longer) and left the hash alone. I would call that a bug. > > If you didn't get md5 hashes from that, try this... Change the > root password to a different value and then change it back. The hash in > /etc/shadow really REALLY should be an md5 hash. > > Let me know the results either way... :-)I've changed root password and now it is stored as md5 in /etc/shadow. I think there's a bug in Red Hat installer. Eugene -- Email: <jmv @ lucifer dorms spbu ru> Homepage: http://lucifer.dorms.spbu.ru To get my public key: `mail -s PGP jmv @ lucifer dorms spbu ru < /dev/null'
Andries.Brouwer@cwi.nl
1999-Oct-30 23:43 UTC
[linux-security] Re: MD5 passwords in Red Hat Linux 6.1
> because man page for crypt(3) is outdatedHmm. Could you send an updated version? [It is against the Linux rules to say that it is well-known that something is wrong. If something is wrong it must be fixed.] Andries aeb@cwi.nl