From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from optimeas.de ([78.46.18.2])
	by metis.ext.pengutronix.de with esmtp (Exim 4.72)
	(envelope-from <matthias.klein@optimeas.de>) id 1WLGr2-0007pt-3X
	for ptxdist@pengutronix.de; Wed, 05 Mar 2014 19:47:44 +0100
From: "Matthias Klein" <matthias.klein@optimeas.de>
Date: Wed, 05 Mar 2014 18:47:41 +0000
Message-Id: <em441128f2-13c0-449b-b0ab-376fd5eede0f@nb-mak>
Mime-Version: 1.0
Subject: [ptxdist] Busybox password hashing algorithm
Reply-To: ptxdist@pengutronix.de, Matthias Klein <matthias.klein@optimeas.de>
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/pipermail/ptxdist>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1362892752=="
Sender: ptxdist-bounces@pengutronix.de
Errors-To: ptxdist-bounces@pengutronix.de
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>


--===============1362892752==
Content-Type: multipart/alternative;
 boundary="------=_MBADA3CDA2-3D99-479D-BCEA-8843A64FE19F"


--------=_MBADA3CDA2-3D99-479D-BCEA-8843A64FE19F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; format=flowed; charset=utf-8

Hello,

our ptxdist 2014.01.0 based product got an external security audit.
They complained that our passwords in the shadow file are hashed with=20
the outdated crypt(3) algorithm.
Her advice is to use bcrypt, PBKDF2 or scrpy.

We are using busybox for passwd etc.

Is this a busybox limitation? Or can we change the hashing algorithm in=20
busybox?
Or do we need to replace busybox' passwd etc. with something better?


Best regards,
Matthias

--------=_MBADA3CDA2-3D99-479D-BCEA-8843A64FE19F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=utf-8

<HTML><HEAD>
<STYLE id=3DeMClientCss>BLOCKQUOTE.cite {
	PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 1px solid; PADD=
ING-RIGHT: 0px; MARGIN-RIGHT: 0px
}
.plain PRE {
	FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE:=
 normal
}
.plain TT {
	FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE:=
 normal
}
BODY {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain PRE {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
#60f7014ddf5d4d31ac3198e2508a0d1f {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain TT {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
#b84b3646ffd14a62a7ff51b58039c7fd #60f7014ddf5d4d31ac3198e2508a0d1f {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
</STYLE>

<STYLE title=3DsignatureStyle>.plain TT {
	FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE:=
 normal
}
.plain TT {
	FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
</STYLE>
</HEAD>
<BODY>
<DIV>Hello,</DIV>
<DIV>&nbsp;</DIV>
<DIV>our ptxdist 2014.01.0 based product got an external&nbsp;security audi=
t. </DIV>
<DIV>They complained that our passwords in the shadow file are hashed with=
 the outdated crypt(3) algorithm.</DIV>
<DIV><SPAN id=3Db84b3646ffd14a62a7ff51b58039c7fd>
<DIV><SPAN>Her advice is to use bcrypt, PBKDF2 or scrpy.</SPAN></DIV></SPAN=
></DIV>
<DIV>&nbsp;</DIV>
<DIV><SPAN id=3D60f7014ddf5d4d31ac3198e2508a0d1f>We are using busybox for=
 passwd etc.</SPAN></DIV>
<DIV><SPAN></SPAN>&nbsp;</DIV>
<DIV><SPAN>Is&nbsp;this a busybox limitation? Or can we change the hashing=
 algorithm in busybox?</SPAN></DIV>
<DIV><SPAN>Or do we need to replace busybox' passwd etc. with something =
better?</SPAN></DIV>
<DIV><SPAN></SPAN>&nbsp;</DIV>
<DIV><SPAN></SPAN><SPAN></SPAN>&nbsp;</DIV>
<DIV><SPAN>Best regards,</SPAN></DIV>
<DIV><SPAN>Matthias</SPAN></DIV>
<DIV><SPAN></SPAN>&nbsp;</DIV></BODY></HTML>
--------=_MBADA3CDA2-3D99-479D-BCEA-8843A64FE19F--



--===============1362892752==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ptxdist mailing list
ptxdist@pengutronix.de

--===============1362892752==--

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Message-ID: <53177312.1090205@pengutronix.de>
Date: Wed, 05 Mar 2014 19:55:14 +0100
From: Marc Kleine-Budde <mkl@pengutronix.de>
MIME-Version: 1.0
References: <em441128f2-13c0-449b-b0ab-376fd5eede0f@nb-mak>
In-Reply-To: <em441128f2-13c0-449b-b0ab-376fd5eede0f@nb-mak>
Subject: Re: [ptxdist] Busybox password hashing algorithm
Reply-To: ptxdist@pengutronix.de
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/pipermail/ptxdist>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0631689356=="
Sender: ptxdist-bounces@pengutronix.de
Errors-To: ptxdist-bounces@pengutronix.de
To: ptxdist@pengutronix.de, Matthias Klein <matthias.klein@optimeas.de>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============0631689356==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="kjk3vM7h4pgM5UP0SfX2jqW9OVI3kJtfb"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--kjk3vM7h4pgM5UP0SfX2jqW9OVI3kJtfb
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 03/05/2014 07:47 PM, Matthias Klein wrote:
> Hello,
> =20
> our ptxdist 2014.01.0 based product got an external security audit.
> They complained that our passwords in the shadow file are hashed with
> the outdated crypt(3) algorithm.
> Her advice is to use bcrypt, PBKDF2 or scrpy.
> =20
> We are using busybox for passwd etc.
> =20
> Is this a busybox limitation? Or can we change the hashing algorithm in=

> busybox?
> Or do we need to replace busybox' passwd etc. with something better?

Have a look at the  BUSYBOX_USE_BB_CRYPT and BUSYBOX_USE_BB_CRYPT_SHA
option.

Marc

--=20
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


--kjk3vM7h4pgM5UP0SfX2jqW9OVI3kJtfb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iEYEARECAAYFAlMXcxUACgkQjTAFq1RaXHO3xwCfcnxKHBmkerZnEyzLirmFXh4L
NaIAn0rLA9u+V0gUjxThBZV6h9cutZJw
=MVLE
-----END PGP SIGNATURE-----

--kjk3vM7h4pgM5UP0SfX2jqW9OVI3kJtfb--


--===============0631689356==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ptxdist mailing list
ptxdist@pengutronix.de

--===============0631689356==--

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from optimeas.de ([78.46.18.2])
	by metis.ext.pengutronix.de with esmtp (Exim 4.72)
	(envelope-from <matthias.klein@optimeas.de>) id 1WLIJL-00047w-VY
	for ptxdist@pengutronix.de; Wed, 05 Mar 2014 21:21:04 +0100
Received: from [127.0.0.1] (p5DCF59B4.dip0.t-ipconnect.de [93.207.89.180])
	by optimeas.de (Postfix) with ESMTPSA id A72C542026CF
	for <ptxdist@pengutronix.de>; Wed,  5 Mar 2014 21:20:58 +0100 (CET)
From: "Matthias Klein" <matthias.klein@optimeas.de>
Date: Wed, 05 Mar 2014 20:21:01 +0000
In-Reply-To: <em138b9dea-c66d-44b6-b971-9f950eafe6e4@nb-mak>
Message-Id: <eme7a53074-e075-4a7f-aff4-abd7d0bba770@nb-mak>
Mime-Version: 1.0
Subject: Re: [ptxdist] Busybox password hashing algorithm
Reply-To: ptxdist@pengutronix.de, Matthias Klein <matthias.klein@optimeas.de>
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/pipermail/ptxdist>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ptxdist-bounces@pengutronix.de
Errors-To: ptxdist-bounces@pengutronix.de
To: ptxdist@pengutronix.de

Hello Marc,

I have found the solution: the default algorithm for passwd can be set 
with the config option CONFIG_FEATURE_DEFAULT_PASSWD_ALGO.

I will send a patch tomorrow.


Best regards,
Matthias

------ Originalnachricht ------
Von: "Matthias Klein" <matthias.klein@optimeas.de>
An: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Gesendet: 05.03.2014 20:19:50
Betreff: Re: [ptxdist] Busybox password hashing algorithm
>Hello Marc,
>
>thanks a lot for the tip !
>
>With that option I can login with a SHA hashed password (starts with 
>$6$).
>But if I change the password with passwd (from busybox) I get again a 
>"weak" hashed password.
>
>I looked for a similar config option for passwd, but can't find one.
>Is there a way to create SHA hashs with passwd from busybox ?
>
>
>Best regards,
>Matthias
>
>
>------ Originalnachricht ------
>Von: "Marc Kleine-Budde" <mkl@pengutronix.de>
>An: ptxdist@pengutronix.de; "Matthias Klein" 
><matthias.klein@optimeas.de>
>Gesendet: 05.03.2014 19:55:14
>Betreff: Re: [ptxdist] Busybox password hashing algorithm
>>On 03/05/2014 07:47 PM, Matthias Klein wrote:
>>>  Hello,
>>>
>>>  our ptxdist 2014.01.0 based product got an external security audit.
>>>  They complained that our passwords in the shadow file are hashed 
>>>with
>>>  the outdated crypt(3) algorithm.
>>>  Her advice is to use bcrypt, PBKDF2 or scrpy.
>>>
>>>  We are using busybox for passwd etc.
>>>
>>>  Is this a busybox limitation? Or can we change the hashing algorithm 
>>>in
>>>  busybox?
>>>  Or do we need to replace busybox' passwd etc. with something better?
>>
>>Have a look at the BUSYBOX_USE_BB_CRYPT and BUSYBOX_USE_BB_CRYPT_SHA
>>option.
>>
>>Marc
>>
>>--
>>Pengutronix e.K. | Marc Kleine-Budde |
>>Industrial Linux Solutions | Phone: +49-231-2826-924 |
>>Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
>>Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
>>
>
>
>-- ptxdist mailing list
>ptxdist@pengutronix.de
>


-- 
ptxdist mailing list
ptxdist@pengutronix.de

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from optimeas.de ([78.46.18.2])
	by metis.ext.pengutronix.de with esmtp (Exim 4.72)
	(envelope-from <matthias.klein@optimeas.de>) id 1WLHM9-0000qe-Qf
	for ptxdist@pengutronix.de; Wed, 05 Mar 2014 20:19:54 +0100
From: "Matthias Klein" <matthias.klein@optimeas.de>
Date: Wed, 05 Mar 2014 19:19:50 +0000
Message-Id: <em138b9dea-c66d-44b6-b971-9f950eafe6e4@nb-mak>
Mime-Version: 1.0
Subject: Re: [ptxdist] Busybox password hashing algorithm
Reply-To: ptxdist@pengutronix.de, Matthias Klein <matthias.klein@optimeas.de>
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/pipermail/ptxdist>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
	<mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ptxdist-bounces@pengutronix.de
Errors-To: ptxdist-bounces@pengutronix.de
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>

Hello Marc,

thanks a lot for the tip !

With that option I can login with a SHA hashed password (starts with 
$6$).
But if I change the password with passwd (from busybox) I get again a 
"weak" hashed password.

I looked for a similar config option for passwd, but can't find one.
Is there a way to create SHA hashs with passwd from busybox ?


Best regards,
Matthias


------ Originalnachricht ------
Von: "Marc Kleine-Budde" <mkl@pengutronix.de>
An: ptxdist@pengutronix.de; "Matthias Klein" 
<matthias.klein@optimeas.de>
Gesendet: 05.03.2014 19:55:14
Betreff: Re: [ptxdist] Busybox password hashing algorithm
>On 03/05/2014 07:47 PM, Matthias Klein wrote:
>>  Hello,
>>
>>  our ptxdist 2014.01.0 based product got an external security audit.
>>  They complained that our passwords in the shadow file are hashed with
>>  the outdated crypt(3) algorithm.
>>  Her advice is to use bcrypt, PBKDF2 or scrpy.
>>
>>  We are using busybox for passwd etc.
>>
>>  Is this a busybox limitation? Or can we change the hashing algorithm 
>>in
>>  busybox?
>>  Or do we need to replace busybox' passwd etc. with something better?
>
>Have a look at the BUSYBOX_USE_BB_CRYPT and BUSYBOX_USE_BB_CRYPT_SHA
>option.
>
>Marc
>
>--
>Pengutronix e.K. | Marc Kleine-Budde |
>Industrial Linux Solutions | Phone: +49-231-2826-924 |
>Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
>Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
>


-- 
ptxdist mailing list
ptxdist@pengutronix.de