Source: installation-guide
Version: 20150423+deb8u1
Tags: patch
In the section 4.5[1] of Appendix B there are several references to "MD5
hash" as a method of storing passwords. At the end of the section there
is a reference to mkpasswd command generating SHA-512 crypt(3) hash.
Hence, the hashes should be refered to as "crypt(3) hashes" rather than
MD5. Furthermore, the following sentence
Using MD5 hashes is considered slightly better in terms of security
but it might also give a false sense of security as access to a MD5
hash allows for brute force attacks.
while true, is not actually relevant for crypt(3) hashes based on
stronger hashes like SHA-256 or SHA-512.
I attach a patch for english version of the guide.
--
Było mi bardzo miło. --- Rurku. --- ...
>Łukasz< --- To dobrze, że mnie słuchasz.
... Od tej pory wszystko może się zdarzyć. Akcja toczy się...
Index: en/appendix/preseed.xml =================================================================== --- en/appendix/preseed.xml (revision 70042) +++ en/appendix/preseed.xml (working copy) @@ -999,7 +999,7 @@ The password for the root account and name and password for a first regular user's account can be preseeded. For the passwords you can use either clear -text values or MD5 <emphasis>hashes</emphasis>. +text values or crypt(3) <emphasis>hashes</emphasis>. </para> <warning><para> @@ -1006,9 +1006,9 @@ Be aware that preseeding passwords is not completely secure as everyone with access to the preconfiguration file will have the knowledge of these -passwords. Using MD5 hashes is considered slightly better in terms of -security but it might also give a false sense of security as access to a -MD5 hash allows for brute force attacks. +passwords. Storing hashed passwords is considered secure unless a weak +hashing algorithm like DES or MD5 is used which allow for bruteforce +attacks. Recommended password hashing algorithms are SHA-256 and SHA512. </para></warning> @@ -1022,8 +1022,8 @@ # Root password, either in clear text #d-i passwd/root-password password r00tme #d-i passwd/root-password-again password r00tme -# or encrypted using an MD5 hash. -#d-i passwd/root-password-crypted password [MD5 hash] +# or encrypted using an crypt(3) hash. +#d-i passwd/root-password-crypted password [crypt(3) hash] # To create a normal user account. #d-i passwd/user-fullname string Debian User @@ -1031,8 +1031,8 @@ # Normal user's password, either in clear text #d-i passwd/user-password password insecure #d-i passwd/user-password-again password insecure -# or encrypted using an MD5 hash. -#d-i passwd/user-password-crypted password [MD5 hash] +# or encrypted using an crypt(3) hash. +#d-i passwd/user-password-crypted password [crypt(3) hash] # Create the first user with the specified UID instead of the default. #d-i passwd/user-uid string 1010 @@ -1054,7 +1054,7 @@ </para><para> The following command (available from the <classname>whois</classname> package) -can be used to generate an MD5 hash for a password: +can be used to generate an SHA-512 based crypt(3) hash for a password: <informalexample><screen> mkpasswd -m sha-512
Attachment:
signature.asc
Description: PGP signature