Anaconda 22.17+ enforces "good" passwords
Stephen John Smoogen
smooge at gmail.com
Mon Feb 23 17:01:55 UTC 2015
On 22 February 2015 at 22:48, Chris Murphy <lists at colorremedies.com> wrote:
> I'm noticing that Fedora depends on the user passworld, plus a salt,
> and the glibc sha512-crypt.c default of 5000 rounds through SHA512, to
> create the hash found in /etc/shadow.
>
>
The main issue that occurs when you change the 5000 rounds is running into
mixed environments. You quickly find that while the password format has a
format which allows for you to set the number of rounds.. a lot of places
assume that 5000 is what is being used. You then have the "I can't login to
X" where X is some addon to the Oracle/SAP/etc system and you can't do your
vacation time. To deal with that is a larger issue than just the security
team in that you need to say "We realize that the product change is going
to affect usage in non-Fedora-only environment.
> OS X 10.10 has been out some months and hashcat doesn't have OS X
> 10.10 support yet, and they distinguish between each major OS X
> version 10.4 through 10.9. Clearly Apple changes there hashing method
> between each OS X release.
>
>
Sometimes they do.. sometimes they don't. The main issue is where the
password is stored and the format it is stored in versus the method. [They
used the same method for a couple but changed how it looked.] They can't
change it too much because they have to deal with the fact that user X has
a MacOS-X 10.9 and 10.10 box and may need to work in an environment where
box A and B are using the same password.
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150223/1393279d/attachment.html>
More information about the security
mailing list