[arch-general] Password expiring and encryption
Hello all, I have my passwords set to expire every 30 days. When they expire, I am asked to input a new, different password. It turns out that I recently noticed I had to input only the first 8 characters of my password to be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks to him, I found out that passwords generated by passwd were fine but passwords generated after my password expire suffer of the 8-character restriction problem. This problem can be reproduced by manually expiring the password with passwd -e user and then loging in with su user. So I took a look at man passwd and man login and both programs read /etc/login.defs. This file has a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default value for this parameter is DES, and that could be causing my problem. I set the parameter to SHA512 but that didn't help (I believe I have to reboot the system, and I haven't). There are a few other files that seem to do a similar job, namely /etc/default/passwd and /etc/pam.d/password. I am confused: what file control what programs? And isn't that a bug? The wiki [0] says that newly created passwords use SHA-512 as the encryption, but that's clearly not the case when asked to create a new password. [0]: https://wiki.archlinux.org/index.php/SHA_password_hashes Thanks all, -- Rafael Beraldo cabaladada.org
On 10/14/12 at 06:03pm, Rafael Beraldo wrote:
Hello all,
I have my passwords set to expire every 30 days. When they expire, I am asked to input a new, different password.
It turns out that I recently noticed I had to input only the first 8 characters of my password to be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks to him, I found out that passwords generated by passwd were fine but passwords generated after my password expire suffer of the 8-character restriction problem. This problem can be reproduced by manually expiring the password with passwd -e user and then loging in with su user.
So I took a look at man passwd and man login and both programs read /etc/login.defs. This file has a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default value for this parameter is DES, and that could be causing my problem. I set the parameter to SHA512 but that didn't help (I believe I have to reboot the system, and I haven't).
There are a few other files that seem to do a similar job, namely /etc/default/passwd and /etc/pam.d/password.
I am confused: what file control what programs? And isn't that a bug? The wiki [0] says that newly created passwords use SHA-512 as the encryption, but that's clearly not the case when asked to create a new password.
[0]: https://wiki.archlinux.org/index.php/SHA_password_hashes
Thanks all,
-- Rafael Beraldo cabaladada.org
A few minutes ago I tinkered with this exact issue on my hobbyist LFS, introducing PAM to my setup. The installation page for shadow states the following: "The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions" [0] After that, several files for different services or programs are created, "system-passwd" being one of them, where the line is identical to that of "/etc/pam.d/passwd" shipped with Arch Linux pam-package: password required pam_unix.so sha512 shadow nullok That line enforces hashing of the password with SHA512 if available the next time the password is set anew. This should explain why you did not find any of those options in login.defs. Have you tried backing up default/passwd and deleting it? On my LFS, there is no such file and I can't find the point of it's creation in the PKGBUILD of pam. HTH, Christoph
participants (2)
-
Christoph Vigano
-
Rafael Beraldo