Web lists-archives.com

Re: password hash in shadow file

Hash: SHA1

On Tue, Mar 13, 2018 at 03:18:35PM +0000, Adam Weremczuk wrote:
> Hi all,
> I've just spotted that on one of my old wheezy servers root entry in
> /etc/shadow was updated just over 3 weeks ago.
> The root password is still the same and the lastchanged count is
> much higher than 3 weeks.
> The difference I've noticed is the hashed password string being much longer.
> It's now prefixed with $6$ (SHA-512 algorithm) comparing with $1$
> (MD5) before the change.

Of course, moving off MD5 makes some sense. It's not burning a hole
in your system's security in this case [1], but MD5 is a bit old these

> My first suspect was a security patch but the system was not updated
> around that time.
> Has anybody seen this before and could explain?

What I don't understand is how the system changed the hashing
method without getting you involved. You don't remember having
had to enter the root password?

That would be strange.


[1] /etc/shadow isn't world-readable, so if you have someone
on your system capable of reading it, you're already in hot
water; and if you have copies of /etc/shadow around there,
well... you encrypt your system backups, do you?

The only credible threat model remaining is that someone(TM)
accesses your hard disk "from the side", e.g. booting a rescue
system or taking to the screwdriver.

- -- t
Version: GnuPG v1.4.12 (GNU/Linux)