[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#283961: chpasswd ignores system MD5 configuration

> > The chpasswd program ignores the system MD5 setting in /etc/pam.d/passwd
> > (also tried MD5_CRYPT_ENAB in /etc/login.defs) and instead hashes all
> > passwords with DES.  In the case of compromise of /etc/shadow, this
> > greatly increases the ease with which attackers can crack back passwords.
> > The system administrator thinks that they are using strong hashing until
> > they closely examine /etc/shadow.
> Please keep team@security.debian.org informed of the progress of this bug.

Given the level of maintenance for the shadow package codebase, it
would be better having some help in fixing this.

Just look at the changelog of 4.0.3-30.4.... I did nearly all recent
uploads but as already said when the last security bug came in, I
absolutely don't have the skills for maintaining anything but periphal
stuff (translation, package organisation) in shadow.

Probably time for bringing this to the QA team...if not publicly. The
only thing that slowed me is that Karl Ramm and Sam Hartman (the
current official package maintainers) have always been good people and
a "hijack" would sound quite rude. Especially as I, alone, do not have
the shoulders wide enough for it.

Reply to: