[Bug 1807479] Re: Hashed passwords stored as MD5 hashes in /etc/shadow
Francis Ginther
francis.ginther at canonical.com
Fri Mar 22 12:24:08 UTC 2019
** Tags added: id-5c93b5ed0e88b83056419916
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to system-config-kickstart in
Ubuntu.
https://bugs.launchpad.net/bugs/1807479
Title:
Hashed passwords stored as MD5 hashes in /etc/shadow
Status in system-config-kickstart package in Ubuntu:
Triaged
Bug description:
The root password (if specified) and initial user account password
(required) are encrypted using an (insecure) MD5 hash. The resulting
kickstart file will build virtual machines that store the MD5 hashed
password in /etc/shadow for the root and/or initial user.
Currently Ubuntu uses SHA512 for storing hashed passwords in
/etc/shadow, but MD5 still works for the sake of backwards
compatibility. Using MD5 hashes for any passwords is highly insecure
and should be avoided.
1) The release of Ubuntu you are using, via 'lsb_release -rd' or
System -> About Ubuntu
$ lsb_release -rd
Description: Ubuntu 18.10
Release: 18.10
2) The version of the package you are using, via 'apt-cache policy
pkgname' or by checking in Software Center
$ apt-cache policy system-config-kickstart
system-config-kickstart:
Installed: 2.5.20-0ubuntu25
Candidate: 2.5.20-0ubuntu25
Version table:
*** 2.5.20-0ubuntu25 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
100 /var/lib/dpkg/status
3) What you expected to happen
I expected system-config-kickstart to use SHA512 for storing hashed
passwords. (Hash starts with "$6$".)
4) What happened instead
system-config-kickstart used MD5 for storing hashed passwords. (Hash
starts with "$1$".)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1807479/+subscriptions
More information about the foundations-bugs
mailing list