From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] system cfg: remove passwd MD5 format
Date: Wed, 5 Dec 2018 22:55:42 +0100 [thread overview]
Message-ID: <20181205215542.GB2561@scaer> (raw)
In-Reply-To: <1544027592-35204-2-git-send-email-matthew.weber@rockwellcollins.com>
Matt, All,
On 2018-12-05 10:33 -0600, Matt Weber spake thusly:
> As SHA256 is now default, removing weak MD5 option. C libraries now
> all support the SHA methods.
> glibc 2.7+
> uclibc (bdd8362a88 package/uclibc: defconfig: enable sha-256...)
> musl 1.1.14+
>
> One issue this would prevent is a host tool issue with a FIPS enabled
> system where weak ciphers/methods are disabled. The crypt(3) call
> checks /proc/sys/crypto/fips_enabled and would result in mkpasswd
> returning "crypt failed." Rather then create a host dependency check
> this patch removes the potential issue.
>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Regards,
Yann E. MORIN.
> ---
> Config.in.legacy | 8 ++++++++
> system/Config.in | 10 ----------
> 2 files changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/Config.in.legacy b/Config.in.legacy
> index 02321c8..d70654c 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -143,6 +143,14 @@ comment "----------------------------------------------------"
> endif
>
> ###############################################################################
> +
> +config BR2_TARGET_GENERIC_PASSWD_MD5
> + bool "target passwd md5 format support has been removed"
> + select BR2_LEGACY
> + help
> + The default has been moved to SHA256 and all C libraries
> + now support that method by default
> +
> comment "Legacy options removed in 2018.11"
>
> config BR2_TARGET_XLOADER
> diff --git a/system/Config.in b/system/Config.in
> index 2123d33..9a87b1b 100644
> --- a/system/Config.in
> +++ b/system/Config.in
> @@ -68,16 +68,6 @@ choice
>
> Note: this is used at build-time, and *not* at runtime.
>
> -config BR2_TARGET_GENERIC_PASSWD_MD5
> - bool "md5"
> - help
> - Use MD5 to encode passwords.
> -
> - The default. Wildly available, and pretty good.
> - Although pretty strong, MD5 is now an old hash function, and
> - suffers from some weaknesses, which makes it susceptible to
> - brute-force attacks.
> -
> config BR2_TARGET_GENERIC_PASSWD_SHA256
> bool "sha-256"
> help
> --
> 1.9.1
>
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2018-12-05 21:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-05 16:33 [Buildroot] [PATCH 1/2] system cfg: default mkpasswd to SHA Matt Weber
2018-12-05 16:33 ` [Buildroot] [PATCH 2/2] system cfg: remove passwd MD5 format Matt Weber
2018-12-05 21:55 ` Yann E. MORIN [this message]
2018-12-06 1:08 ` Matthew Weber
2018-12-06 1:54 ` Matthew Weber
2018-12-05 21:54 ` [Buildroot] [PATCH 1/2] system cfg: default mkpasswd to SHA Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181205215542.GB2561@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox