* [ptxdist] Busybox password hashing algorithm
@ 2014-03-05 18:47 Matthias Klein
2014-03-05 18:55 ` Marc Kleine-Budde
0 siblings, 1 reply; 4+ messages in thread
From: Matthias Klein @ 2014-03-05 18:47 UTC (permalink / raw)
To: ptxdist
[-- Attachment #1.1: Type: text/plain, Size: 457 bytes --]
Hello,
our ptxdist 2014.01.0 based product got an external security audit.
They complained that our passwords in the shadow file are hashed with
the outdated crypt(3) algorithm.
Her advice is to use bcrypt, PBKDF2 or scrpy.
We are using busybox for passwd etc.
Is this a busybox limitation? Or can we change the hashing algorithm in
busybox?
Or do we need to replace busybox' passwd etc. with something better?
Best regards,
Matthias
[-- Attachment #1.2: Type: text/html, Size: 1861 bytes --]
[-- Attachment #2: Type: text/plain, Size: 48 bytes --]
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] Busybox password hashing algorithm
@ 2014-03-05 19:19 Matthias Klein
2014-03-05 20:21 ` Matthias Klein
0 siblings, 1 reply; 4+ messages in thread
From: Matthias Klein @ 2014-03-05 19:19 UTC (permalink / raw)
To: ptxdist
Hello Marc,
thanks a lot for the tip !
With that option I can login with a SHA hashed password (starts with
$6$).
But if I change the password with passwd (from busybox) I get again a
"weak" hashed password.
I looked for a similar config option for passwd, but can't find one.
Is there a way to create SHA hashs with passwd from busybox ?
Best regards,
Matthias
------ Originalnachricht ------
Von: "Marc Kleine-Budde" <mkl@pengutronix.de>
An: ptxdist@pengutronix.de; "Matthias Klein"
<matthias.klein@optimeas.de>
Gesendet: 05.03.2014 19:55:14
Betreff: Re: [ptxdist] Busybox password hashing algorithm
>On 03/05/2014 07:47 PM, Matthias Klein wrote:
>> Hello,
>>
>> our ptxdist 2014.01.0 based product got an external security audit.
>> They complained that our passwords in the shadow file are hashed with
>> the outdated crypt(3) algorithm.
>> Her advice is to use bcrypt, PBKDF2 or scrpy.
>>
>> We are using busybox for passwd etc.
>>
>> Is this a busybox limitation? Or can we change the hashing algorithm
>>in
>> busybox?
>> Or do we need to replace busybox' passwd etc. with something better?
>
>Have a look at the BUSYBOX_USE_BB_CRYPT and BUSYBOX_USE_BB_CRYPT_SHA
>option.
>
>Marc
>
>--
>Pengutronix e.K. | Marc Kleine-Budde |
>Industrial Linux Solutions | Phone: +49-231-2826-924 |
>Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
>Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
>
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] Busybox password hashing algorithm
2014-03-05 19:19 Matthias Klein
@ 2014-03-05 20:21 ` Matthias Klein
0 siblings, 0 replies; 4+ messages in thread
From: Matthias Klein @ 2014-03-05 20:21 UTC (permalink / raw)
To: ptxdist
Hello Marc,
I have found the solution: the default algorithm for passwd can be set
with the config option CONFIG_FEATURE_DEFAULT_PASSWD_ALGO.
I will send a patch tomorrow.
Best regards,
Matthias
------ Originalnachricht ------
Von: "Matthias Klein" <matthias.klein@optimeas.de>
An: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Gesendet: 05.03.2014 20:19:50
Betreff: Re: [ptxdist] Busybox password hashing algorithm
>Hello Marc,
>
>thanks a lot for the tip !
>
>With that option I can login with a SHA hashed password (starts with
>$6$).
>But if I change the password with passwd (from busybox) I get again a
>"weak" hashed password.
>
>I looked for a similar config option for passwd, but can't find one.
>Is there a way to create SHA hashs with passwd from busybox ?
>
>
>Best regards,
>Matthias
>
>
>------ Originalnachricht ------
>Von: "Marc Kleine-Budde" <mkl@pengutronix.de>
>An: ptxdist@pengutronix.de; "Matthias Klein"
><matthias.klein@optimeas.de>
>Gesendet: 05.03.2014 19:55:14
>Betreff: Re: [ptxdist] Busybox password hashing algorithm
>>On 03/05/2014 07:47 PM, Matthias Klein wrote:
>>> Hello,
>>>
>>> our ptxdist 2014.01.0 based product got an external security audit.
>>> They complained that our passwords in the shadow file are hashed
>>>with
>>> the outdated crypt(3) algorithm.
>>> Her advice is to use bcrypt, PBKDF2 or scrpy.
>>>
>>> We are using busybox for passwd etc.
>>>
>>> Is this a busybox limitation? Or can we change the hashing algorithm
>>>in
>>> busybox?
>>> Or do we need to replace busybox' passwd etc. with something better?
>>
>>Have a look at the BUSYBOX_USE_BB_CRYPT and BUSYBOX_USE_BB_CRYPT_SHA
>>option.
>>
>>Marc
>>
>>--
>>Pengutronix e.K. | Marc Kleine-Budde |
>>Industrial Linux Solutions | Phone: +49-231-2826-924 |
>>Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
>>Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
>>
>
>
>-- ptxdist mailing list
>ptxdist@pengutronix.de
>
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-03-05 20:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-05 18:47 [ptxdist] Busybox password hashing algorithm Matthias Klein
2014-03-05 18:55 ` Marc Kleine-Budde
2014-03-05 19:19 Matthias Klein
2014-03-05 20:21 ` Matthias Klein
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox