Re: Security implications of chpasswd.

To: Petro <petro@auctionwatch.com>
Cc: Debian-Security List <debian-security@lists.debian.org>
Subject: Re: Security implications of chpasswd.
From: Jean-Francois Dive <jef@linuxbe.org>
Date: Fri, 1 Mar 2002 15:20:32 +1100
Message-id: <[🔎] 20020301042032.GG467@gnoll.homeip.net>
In-reply-to: <[🔎] 20020301001610.GL25873@auctionwatch.com>
References: <[🔎] 20020301001610.GL25873@auctionwatch.com>

hello,

chpasswd is in the shadow source package (you can find this out using
apt-show commands). You can workaround the problem by using a script
which will use the -e option and fill an encrypted passwd, this will
also solved this other problem you talk about. There is a bug already
reported about this MD5 support, but it does not seems to be in the BTS.
(bugs directory of the source package)

JeF

On Thu, Feb 28, 2002 at 04:16:10PM -0800, Petro wrote:
>     For some very good reasons I had to do a mass change of passwords
>     on one of our exposed login machines (no breach/hack, different
>     reason). 
> 
>     There is a utility included in Debian Stable (and the others) to do
>     this called chpasswd. 
> 
>     I believe there may be some security issues with this utility:
> 
>     1) This utility does DES passwords instead of MD5, even tho' the
>     rest of the system does/understands MD5. 
> 
>     2) when doing a mass password change, the first 2 characters are the
>     same for every password. This could be an "information leak"
>     indicating mass-password changes, and displaying *which passwords
>     are still at the set default*. For a better example of what I mean,
>     consider this case:
> 
>     A college campus creates 2k accounts and passwords at once. JR
>     hacker gains access a week later through his account w/out changing
>     the password, then somehow gets ahold of the shadow file. In it he
>     can determine (with some margin of error) which accounts have or
>     haven't been changed. Since many universities use some stupid
>     pattern for their passwords, or hand out cards with the account
>     passwords on them (later found in the trash), he now has a pool of
>     accounts to attack. 
> 
>     3) chpasswd provides no facility to use MD5 rather than (I suspect)
>     DES. DES is unacceptable these days. 
> 
>     Also, where is the source for this utility, and the passwd utility?
>     I can't seem to find it in my local mirror. 
> 
> -- 
> Share and Enjoy. 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
-> Jean-Francois Dive
--> jef@linuxbe.org

Reply to:

References:
- Security implications of chpasswd.
  - From: Petro <petro@auctionwatch.com>

Prev by Date: Security implications of chpasswd.
Previous by thread: Security implications of chpasswd.
Index(es):
- Date
- Thread