[arch-general] Password expiring and encryption
Rafael Beraldo
rberaldo at cabaladada.org
Sun Oct 14 17:03:30 EDT 2012
Hello all,
I have my passwords set to expire every 30 days. When they expire, I am
asked to input a
new, different password.
It turns out that I recently noticed I had to input only the first 8
characters of my password to
be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
to him, I found out that
passwords generated by passwd were fine but passwords generated after my
password
expire suffer of the 8-character restriction problem. This problem can be
reproduced by
manually expiring the password with passwd -e user and then loging in with
su user.
So I took a look at man passwd and man login and both programs read
/etc/login.defs. This file has
a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
value for this parameter
is DES, and that could be causing my problem. I set the parameter to SHA512
but that didn't help (I
believe I have to reboot the system, and I haven't).
There are a few other files that seem to do a similar job, namely
/etc/default/passwd and
/etc/pam.d/password.
I am confused: what file control what programs? And isn't that a bug? The
wiki [0] says that newly
created passwords use SHA-512 as the encryption, but that's clearly not the
case when asked
to create a new password.
[0]: https://wiki.archlinux.org/index.php/SHA_password_hashes
Thanks all,
--
Rafael Beraldo
cabaladada.org
More information about the arch-general
mailing list