Web lists-archives.com

Re: password hash in shadow file




On Tue 13 Mar 2018 at 15:18:35 (+0000), Adam Weremczuk wrote:
> Hi all,
> 
> I've just spotted that on one of my old wheezy servers root entry in
> /etc/shadow was updated just over 3 weeks ago.

Take a look at the end of a file and see if a new user/system account
has been added recently when you installed a package.
Examples: clamav logcheck avahi ntop and even debian-security-support.

If that doesn't turn up anything, just scan for the highest number
in the 3rd field. Then type (where 16933 is your number):

$ date -d "1970-01-01 +16933 days"
Thu May 12 00:00:00 CDT 2016
$

and that ought to match the last-modified timestamp.

(That example is for debian-security-support going onto one of my
wheezy systems.)

> The root password is still the same and the lastchanged count is
> much higher than 3 weeks.
> 
> The difference I've noticed is the hashed password string being much longer.
> 
> It's now prefixed with $6$ (SHA-512 algorithm) comparing with $1$
> (MD5) before the change.

Should we assume that you have evidence of the root entry with an MD5
indication but the same number in the 3rd entry as you have now?

> My first suspect was a security patch but the system was not updated
> around that time.
> 
> Has anybody seen this before and could explain?

No. Lacking a backup of shadow with an MD5 indication, all I can say
is that the same process must have been carried out here on all my
systems, and whatever that process was, it happened before 12 Sep 2016.
Doesn't seem likely.

That's the last time this backup wheezy system was booted up, and
shadow shows
file last modification 21 April 2014
birth of root password  3 April 2014
shadow root entry: root:$6$…:16163:0:99999:7:::
shadow last entry: apt-cacher-ng:*:16182:0:99999:7:::

Cheers,
David.