[arch-general] Password expiring and encryption
Christoph Vigano
mail at cvigano.de
Sun Oct 14 18:57:08 EDT 2012
On 10/14/12 at 06:03pm, Rafael Beraldo wrote:
> Hello all,
>
> I have my passwords set to expire every 30 days. When they expire, I am
> asked to input a
> new, different password.
>
> It turns out that I recently noticed I had to input only the first 8
> characters of my password to
> be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
> to him, I found out that
> passwords generated by passwd were fine but passwords generated after my
> password
> expire suffer of the 8-character restriction problem. This problem can be
> reproduced by
> manually expiring the password with passwd -e user and then loging in with
> su user.
>
> So I took a look at man passwd and man login and both programs read
> /etc/login.defs. This file has
> a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
> value for this parameter
> is DES, and that could be causing my problem. I set the parameter to SHA512
> but that didn't help (I
> believe I have to reboot the system, and I haven't).
>
> There are a few other files that seem to do a similar job, namely
> /etc/default/passwd and
> /etc/pam.d/password.
>
> I am confused: what file control what programs? And isn't that a bug? The
> wiki [0] says that newly
> created passwords use SHA-512 as the encryption, but that's clearly not the
> case when asked
> to create a new password.
>
> [0]: https://wiki.archlinux.org/index.php/SHA_password_hashes
>
> Thanks all,
>
> --
> Rafael Beraldo
> cabaladada.org
A few minutes ago I tinkered with this exact issue on my hobbyist LFS,
introducing PAM to my setup.
The installation page for shadow states the following:
"The login program currently performs many functions which Linux-PAM
modules should now handle. The following sed command will comment out
the appropriate lines in /etc/login.defs, and stop login from performing
these functions" [0]
After that, several files for different services or programs are
created, "system-passwd" being one of them, where the line is identical
to that of "/etc/pam.d/passwd" shipped with Arch Linux pam-package:
password required pam_unix.so sha512 shadow nullok
That line enforces hashing of the password with SHA512 if available the
next time the password is set anew.
This should explain why you did not find any of those options in
login.defs. Have you tried backing up default/passwd and deleting it?
On my LFS, there is no such file and I can't find the point of it's
creation in the PKGBUILD of pam.
HTH,
Christoph
More information about the arch-general
mailing list