Re: password hash in shadow file
- Date: Tue, 13 Mar 2018 16:47:42 +0100
- From: <tomas@xxxxxxxxxx>
- Subject: Re: password hash in shadow file
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Mar 13, 2018 at 03:18:35PM +0000, Adam Weremczuk wrote:
> Hi all,
> I've just spotted that on one of my old wheezy servers root entry in
> /etc/shadow was updated just over 3 weeks ago.
> The root password is still the same and the lastchanged count is
> much higher than 3 weeks.
> The difference I've noticed is the hashed password string being much longer.
> It's now prefixed with $6$ (SHA-512 algorithm) comparing with $1$
> (MD5) before the change.
Of course, moving off MD5 makes some sense. It's not burning a hole
in your system's security in this case , but MD5 is a bit old these
> My first suspect was a security patch but the system was not updated
> around that time.
> Has anybody seen this before and could explain?
What I don't understand is how the system changed the hashing
method without getting you involved. You don't remember having
had to enter the root password?
That would be strange.
 /etc/shadow isn't world-readable, so if you have someone
on your system capable of reading it, you're already in hot
water; and if you have copies of /etc/shadow around there,
well... you encrypt your system backups, do you?
The only credible threat model remaining is that someone(TM)
accesses your hard disk "from the side", e.g. booting a rescue
system or taking to the screwdriver.
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----