Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260364

Summary: sys-libs/pam opasswd should be able to use SHA-256 or SHA-512 hashing
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: gengor, pam-bugs+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=486604
Whiteboard: B4 [upstream?]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 11:05:37 UTC 
Quoting Rob James on the referenced bug report:

With the "remember=x" option to pam_unix for recording password history to
/etc/security/opasswd the old password hashes stored in opasswd are always MD5
crypted even if pam_unix is configured for sha256 or sha512.
/etc/security/opasswd should be treated in the same way as /etc/shadow for
security reasons. There should at least be some way to use sha256/sha512 for
opasswd.

Version-Release number of selected component (if applicable):
pam 0.99.6.2

How reproducible:
Every time

Steps to Reproduce:
1. Use authconfig to enable SHA-512 passwords (--passalgo=sha512)
2. In system-auth add "remember=3" to the pam_unix.so password entry
3. Add a local user
4. Login as that user and change the password to something else

Actual results:
The old password is stored in MD5 format

Expected results:
The old password is stored in SHA-512 format
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-26 11:07:24 UTC 
According to Flameeyes, this is not enabled by default. However, it might still increase the risk of information disclosure for people using the feature.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-02-26 11:55:18 UTC 
No new release from upstream yet, and I'd rather not patch so I'd just keep waiting to see if they release a 1.0.4.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-06-21 16:50:32 UTC 
I see nothing new from the upstream bug, do we till count this as a security bug?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 12:58:32 UTC 
do you have a reference to the upstream bug?
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 02:31:12 UTC 
This is a hardening issue, not a security issue.