Web lists-archives.com

Re: password hash in shadow file




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Mar 13, 2018 at 07:36:19PM +0100, Sven Hartge wrote:
> tomas@xxxxxxxxxx wrote:

[...]

> > Well, to be fair, the change to SHA-1 is because you can "reverse" MD5
> > all too easily 
> 
> Yes, basically.
> 
> > But I don't think your operating system is going to do that behind
> > your back ;-)
> 
> It would be quite obvious when just starting "passwd" takes several days
> while it cracks your MD5 hash to replace it with a stronger one ;)

And possibly eat through a disk or two (or are rainbow tables
superfluous with current GPUs? I don't know).

All that to choose quite probably a *different* password which happens
to hash to the same MD5. Login no more possible, but now secure :)

> But on that note: I wonder of one could create a PAM module which will
> do just that on successful login. Once you *know* you have the right
> password (and the PAM system has that knowledge including the plain text
> password the user entered) just rehash it and update /etc/shadow.
> 
> This will gradually upgrade all hashes once a user uses an account.

That would be downright sneaky :-)

Cheers
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqoMoMACgkQBcgs9XrR2kb5/ACfQEmIaxjx3bVzcA60VHbqI/UD
RbIAnifsG3fys+yUrfGLZ8PojwkZBwG1
=Xy4V
-----END PGP SIGNATURE-----