Anaconda 22.17+ enforces "good" passwords

[Chris Murphy]

On Mon, Feb 23, 2015 at 10:01 AM, Stephen John Smoogen <smooge at gmail.com> wrote:
> The main issue that occurs when you change the 5000 rounds is running into
> mixed environments. You quickly find that while the password format has a
> format which allows for you to set the number of rounds.. a lot of places
> assume that 5000 is what is being used. You then have the "I can't login to
> X" where X is some addon to the Oracle/SAP/etc system and you can't do your
> vacation time. To deal with that is a larger issue than just the security
> team in that you need to say "We realize that the product change is going to
> affect usage in non-Fedora-only environment.

Thanks for the response. I don't understand how software ignores the
rounds value specified in /etc/shadow but honors the salt specified in
same. Assuming should only happen if /etc/shadow omits $rounds=.



>> OS X 10.10 has been out some months and hashcat doesn't have OS X
>> 10.10 support yet, and they distinguish between each major OS X
>> version 10.4 through 10.9. Clearly Apple changes there hashing method
>> between each OS X release.
>>
>
> Sometimes they do.. sometimes they don't. The main issue is where the
> password is stored and the format it is stored in versus the method. [They
> used the same method for a couple but changed how it looked.] They can't
> change it too much because they have to deal with the fact that user X has a
> MacOS-X 10.9 and 10.10 box and may need to work in an environment where box
> A and B are using the same password.

The context is the local shadow file in both the Fedora (above) and OS X cases.

If the environment is using directory services (Active/Open Directory,
LDAP) then I could even be using an OS X 10.6 system for this, using
the same password. And all such setups are kerberized and hence
standardized.


-- 
Chris Murphy