[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#801810: marked as done (Passwords are not hashed with MD5 anymore (Appendix B))

Your message dated Thu, 21 Jan 2016 22:03:45 +0000
with message-id <E1aMNKT-0005t1-Q1@franck.debian.org>
and subject line Bug#801810: fixed in installation-guide 20160121
has caused the Debian Bug report #801810,
regarding Passwords are not hashed with MD5 anymore (Appendix B)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

801810: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801810
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: installation-guide
Version: 20150423+deb8u1
Tags: patch

In the section 4.5[1] of Appendix B there are several references to "MD5
hash" as a method of storing passwords. At the end of the section there
is a reference to mkpasswd command generating SHA-512 crypt(3) hash.
Hence, the hashes should be refered to as "crypt(3) hashes" rather than
MD5. Furthermore, the following sentence

    Using MD5 hashes is considered slightly better in terms of security
    but it might also give a false sense of security as access to a MD5
    hash allows for brute force attacks.

while true, is not actually relevant for crypt(3) hashes based on
stronger hashes like SHA-256 or SHA-512.

I attach a patch for english version of the guide.

Było mi bardzo miło.                                  --- Rurku. --- ...
>Łukasz<                                --- To dobrze, że mnie słuchasz.

... Od tej pory wszystko może się zdarzyć. Akcja toczy się...
Index: en/appendix/preseed.xml
--- en/appendix/preseed.xml	(revision 70042)
+++ en/appendix/preseed.xml	(working copy)
@@ -999,7 +999,7 @@
 The password for the root account and name and password for a first regular
 user's account can be preseeded. For the passwords you can use either clear
-text values or MD5 <emphasis>hashes</emphasis>.
+text values or crypt(3) <emphasis>hashes</emphasis>.
@@ -1006,9 +1006,9 @@
 Be aware that preseeding passwords is not completely secure as everyone
 with access to the preconfiguration file will have the knowledge of these
-passwords. Using MD5 hashes is considered slightly better in terms of
-security but it might also give a false sense of security as access to a
-MD5 hash allows for brute force attacks.
+passwords. Storing hashed passwords is considered secure unless a weak
+hashing algorithm like DES or MD5 is used which allow for bruteforce
+attacks. Recommended password hashing algorithms are SHA-256 and SHA512.
@@ -1022,8 +1022,8 @@
 # Root password, either in clear text
 #d-i passwd/root-password password r00tme
 #d-i passwd/root-password-again password r00tme
-# or encrypted using an MD5 hash.
-#d-i passwd/root-password-crypted password [MD5 hash]
+# or encrypted using an crypt(3)  hash.
+#d-i passwd/root-password-crypted password [crypt(3) hash]
 # To create a normal user account.
 #d-i passwd/user-fullname string Debian User
@@ -1031,8 +1031,8 @@
 # Normal user's password, either in clear text
 #d-i passwd/user-password password insecure
 #d-i passwd/user-password-again password insecure
-# or encrypted using an MD5 hash.
-#d-i passwd/user-password-crypted password [MD5 hash]
+# or encrypted using an crypt(3) hash.
+#d-i passwd/user-password-crypted password [crypt(3) hash]
 # Create the first user with the specified UID instead of the default.
 #d-i passwd/user-uid string 1010
@@ -1054,7 +1054,7 @@
 The following command (available from the <classname>whois</classname> package)
-can be used to generate an MD5 hash for a password:
+can be used to generate an SHA-512 based crypt(3) hash for a password:
 mkpasswd -m sha-512

Attachment: signature.asc
Description: PGP signature

--- End Message ---
--- Begin Message ---
Source: installation-guide
Source-Version: 20160121

We believe that the bug you reported is fixed in the latest version of
installation-guide, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801810@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Samuel Thibault <sthibault@debian.org> (supplier of updated installation-guide package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Thu, 21 Jan 2016 20:14:33 +0100
Source: installation-guide
Binary: installation-guide-amd64 installation-guide-arm64 installation-guide-armel installation-guide-armhf installation-guide-i386 installation-guide-kfreebsd-amd64 installation-guide-kfreebsd-i386 installation-guide-mips installation-guide-mipsel installation-guide-powerpc installation-guide-ppc64el installation-guide-s390x
Architecture: source all
Version: 20160121
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
 installation-guide-amd64 - Debian installation guide for amd64
 installation-guide-arm64 - Debian installation guide for arm64
 installation-guide-armel - Debian installation guide for armel
 installation-guide-armhf - Debian installation guide for armhf
 installation-guide-i386 - Debian installation guide for i386
 installation-guide-kfreebsd-amd64 - Debian installation guide for kFreeBSD amd64
 installation-guide-kfreebsd-i386 - Debian installation guide for kFreeBSD i386
 installation-guide-mips - Debian installation guide for mips
 installation-guide-mipsel - Debian installation guide for mipsel
 installation-guide-powerpc - Debian installation guide for powerpc
 installation-guide-ppc64el - Debian installation guide for powerpc
 installation-guide-s390x - Debian installation guide for s390x
Closes: 789652 801810 803267 809523
 installation-guide (20160121) unstable; urgency=medium
   [ Martin Michlmayr ]
   * Update scripts and entities to stretch release.
   * Remove the DNS-323 from the list of supported Orion devices.
   * Remove IXP4xx from the list of supported armel platforms.
   * Remove references to platforms that were last supported in Debian 7.
   * Document armel devices and platforms for which support was dropped.
   * Update list of supported QNAP models.
   * Add "MX53 LOCO Board" as alternative name for the MX53 Quick Start
     Board (see #788782).
   * List Seagate FreeAgent DockStar as supported plug computer.
   * Convert supported Kirkwood devices to a list.
   * Added QNAP TS-109, TS-209, TS-409 and TS-409U as supporteded
     models again.
   [ Vincent McIntyre ]
   * Document discrepancy between halt and poweroff. Closes: #789652.
   [ Łukasz Stelmach ]
   * Update information on hashed passwords. Closes: #801810.
   [ Samuel Thibault ]
   * Document the fourth bootline parameter of brltty.
   * Document the zoom support.
   [ Matt Kraai ]
   * Fix Instructions for creating syslinux.cfg according to syslinux 5.00
     change. Closes: #803267.
   [ Holger Wansing ]
   * Documenting that the graphical installer is now the default.
   [ Cyril Brulebois ]
   * Remove alternative build-dep on openjade1.3, thanks to Neil Roeth
     (Closes: #809523).
 c62055876aaf07ede2944af232709ec26f72bbd7 2938 installation-guide_20160121.dsc
 8951074f184c602b9cca881879550c81749f765f 9201631 installation-guide_20160121.tar.gz
 8805b7d0eab3350e95ac252316fac5e5855d7d52 15648246 installation-guide-amd64_20160121_all.deb
 2090da1b1f54e13de01f7ced3d5a27e7e0cdbeae 13932396 installation-guide-arm64_20160121_all.deb
 b8d9c259fb4a4ae44e7fbe07ab5c77dcde9834ff 13954464 installation-guide-armel_20160121_all.deb
 9d557592ed0e0631e1646703a2d0ccd474427119 14208132 installation-guide-armhf_20160121_all.deb
 56f87f23f8a7c88cd73b7103de64d675e293642d 15695892 installation-guide-i386_20160121_all.deb
 6b7484b54ef828d0fcbc2045b996c2f4716bd91f 13840468 installation-guide-kfreebsd-amd64_20160121_all.deb
 9e8a818e56c167559881e10a106541db467239ab 13812356 installation-guide-kfreebsd-i386_20160121_all.deb
 007fd4716b6723439383d9a30b45de756b8c8835 13394574 installation-guide-mips_20160121_all.deb
 9b0db0d808fbe2b3f2247156f06d871b4f444157 13278558 installation-guide-mipsel_20160121_all.deb
 005c5acc95dfa91fe50c9f126061564f0f968fd8 15091778 installation-guide-powerpc_20160121_all.deb
 6520bea56d2fb427a1d1f5131044d72f029c31ec 13610434 installation-guide-ppc64el_20160121_all.deb
 5bb309fa462ec7ddb62980c9389a6d7bd2657bc5 12196498 installation-guide-s390x_20160121_all.deb
 2f23b075e4f66df1848b154379c6ce8f1400ba39dfbc8cae9584202420f26503 2938 installation-guide_20160121.dsc
 6e35423eb5fed34cdf4ac7454e06f3ec3fd4f1ed04f548b2ce54568717cc8e21 9201631 installation-guide_20160121.tar.gz
 6a7d8af017510cf7e97d4596fd3ebae2605d735dac22a0204090d4690028911b 15648246 installation-guide-amd64_20160121_all.deb
 0849839fd2431221386f4d728a64b45a3fc38ee51fd67392241772d2772a057b 13932396 installation-guide-arm64_20160121_all.deb
 f34f3e3d54e46e08495fe894c23c71db5e5f457895aaaf99e04c7437e08ed2d9 13954464 installation-guide-armel_20160121_all.deb
 208f930ca1fcd1cbdbdfaaca2124db4aa8ef93ddc2ccb2ba850c0a2008f0dd59 14208132 installation-guide-armhf_20160121_all.deb
 b1a493b3c299d22fdafc016bcd3ff3ebeea9ecffb386f7de7caa13f416bec74f 15695892 installation-guide-i386_20160121_all.deb
 016ab128fd1a88b88b44f967f966b4b297eba3ab065b94759cd2a4bd940c0a38 13840468 installation-guide-kfreebsd-amd64_20160121_all.deb
 f405309931c416059f69c9cbf93e2e2a0a8a3854b5b8efadad8fadcaad0fd03f 13812356 installation-guide-kfreebsd-i386_20160121_all.deb
 76b9e35eae2ef16d83e55345a3fd1a65c7521d7168a207656d2fcd36133b8746 13394574 installation-guide-mips_20160121_all.deb
 9e5851fbb1f0cf9d235f2c959fc541a6848d0972b9d46cf71fa437f6ca805c33 13278558 installation-guide-mipsel_20160121_all.deb
 e0a72c2a7f4a26cb8f72e1eea8421c403b9f119f7df7acb5ed14771a05e6903c 15091778 installation-guide-powerpc_20160121_all.deb
 e3c5e67dc89acc04d480ac3eee093991667c375f1790974d874f108461b54c92 13610434 installation-guide-ppc64el_20160121_all.deb
 1cd18ae5a95bdc046f4d522a41239356bc98a3c8a99e89b07ae4a9d5eec68dbf 12196498 installation-guide-s390x_20160121_all.deb
 da08d2dafc4a4f1799a62a33e66af052 2938 doc optional installation-guide_20160121.dsc
 156db3314485512c7b644bc6d06c5839 9201631 doc optional installation-guide_20160121.tar.gz
 529da27cf3c29d1fdf573ea42947e176 15648246 doc optional installation-guide-amd64_20160121_all.deb
 fe4e71de734aa29cbff98706a6343cf2 13932396 doc optional installation-guide-arm64_20160121_all.deb
 49995570563ca175fb5a4eb6d5c736a3 13954464 doc optional installation-guide-armel_20160121_all.deb
 790b8d7825a71266f7e87a66000cda61 14208132 doc optional installation-guide-armhf_20160121_all.deb
 12709c58744eaba8ea1d1bda41ed9ea2 15695892 doc optional installation-guide-i386_20160121_all.deb
 f9fea92e47bccff2a9a12144c8ce57cd 13840468 doc optional installation-guide-kfreebsd-amd64_20160121_all.deb
 cc059681fd6500704cae710912c3b227 13812356 doc optional installation-guide-kfreebsd-i386_20160121_all.deb
 3253d0925cea2df299b3dd16cb16762b 13394574 doc optional installation-guide-mips_20160121_all.deb
 8dfdfb70820edf33fa72531cdd7a8cdd 13278558 doc optional installation-guide-mipsel_20160121_all.deb
 cb51bacbff8ae9bd11316db51d042346 15091778 doc optional installation-guide-powerpc_20160121_all.deb
 0034c2c3a0f4b419aeab22ac4ce95240 13610434 doc optional installation-guide-ppc64el_20160121_all.deb
 211e844d7ad9c5aed66b3c5eb5f0b694 12196498 doc optional installation-guide-s390x_20160121_all.deb

Version: GnuPG v1


--- End Message ---

Reply to: