* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
@ 2016-03-10 19:43 Gustavo Zacarias
2016-03-10 20:01 ` Peter Korsgaard
2016-03-22 23:03 ` Thomas Petazzoni
0 siblings, 2 replies; 7+ messages in thread
From: Gustavo Zacarias @ 2016-03-10 19:43 UTC (permalink / raw)
To: buildroot
DES is terribly outdated and a security vulnerability.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
package/busybox/busybox.config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/busybox/busybox.config b/package/busybox/busybox.config
index 2cf989d..693b9d2 100644
--- a/package/busybox/busybox.config
+++ b/package/busybox/busybox.config
@@ -496,7 +496,7 @@ CONFIG_PASSWD=y
CONFIG_FEATURE_PASSWD_WEAK_CHECK=y
# CONFIG_CRYPTPW is not set
# CONFIG_CHPASSWD is not set
-CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des"
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"
CONFIG_SU=y
CONFIG_FEATURE_SU_SYSLOG=y
CONFIG_FEATURE_SU_CHECKS_SHELLS=y
--
2.4.10
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-10 19:43 [Buildroot] [PATCH] busybox: use md5 as default password algorithm Gustavo Zacarias
@ 2016-03-10 20:01 ` Peter Korsgaard
2016-03-10 20:03 ` Gustavo Zacarias
2016-03-22 23:03 ` Thomas Petazzoni
1 sibling, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2016-03-10 20:01 UTC (permalink / raw)
To: buildroot
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
> DES is terribly outdated and a security vulnerability.
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
> package/busybox/busybox.config | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/package/busybox/busybox.config b/package/busybox/busybox.config
> index 2cf989d..693b9d2 100644
> --- a/package/busybox/busybox.config
> +++ b/package/busybox/busybox.config
> @@ -496,7 +496,7 @@ CONFIG_PASSWD=y
> CONFIG_FEATURE_PASSWD_WEAK_CHECK=y
> # CONFIG_CRYPTPW is not set
> # CONFIG_CHPASSWD is not set
> -CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des"
> +CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"
So this is what is used when you change password through the busybox
passwd applet or create a new user, right?
Shouldn't we instead tweak this based on BR2_TARGET_GENERIC_PASSWD_*?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-10 20:01 ` Peter Korsgaard
@ 2016-03-10 20:03 ` Gustavo Zacarias
2016-03-10 22:00 ` Peter Korsgaard
0 siblings, 1 reply; 7+ messages in thread
From: Gustavo Zacarias @ 2016-03-10 20:03 UTC (permalink / raw)
To: buildroot
On 10/03/16 17:01, Peter Korsgaard wrote:
> So this is what is used when you change password through the busybox
> passwd applet or create a new user, right?
>
> Shouldn't we instead tweak this based on BR2_TARGET_GENERIC_PASSWD_*?
Yes.
This is the lowest-common which is guaranteed to work on all scenarios,
once we decide/switch to sha256 as default we can update it here, but i
wouldn't defer this until then.
Regards.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-10 20:03 ` Gustavo Zacarias
@ 2016-03-10 22:00 ` Peter Korsgaard
2016-03-11 0:10 ` Arnout Vandecappelle
0 siblings, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2016-03-10 22:00 UTC (permalink / raw)
To: buildroot
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
> On 10/03/16 17:01, Peter Korsgaard wrote:
>> So this is what is used when you change password through the busybox
>> passwd applet or create a new user, right?
>>
>> Shouldn't we instead tweak this based on BR2_TARGET_GENERIC_PASSWD_*?
> Yes.
> This is the lowest-common which is guaranteed to work on all
> scenarios, once we decide/switch to sha256 as default we can update it
> here, but i wouldn't defer this until then.
Ehh, yes - But if you have enabled E.G BR2_TARGET_GENERIC_PASSWD_SHA512
then that is what the busybox passwd applet should use. Having it do md5
instead of des is still wrong.
--
Venlig hilsen,
Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-10 22:00 ` Peter Korsgaard
@ 2016-03-11 0:10 ` Arnout Vandecappelle
0 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2016-03-11 0:10 UTC (permalink / raw)
To: buildroot
On 03/10/16 23:00, Peter Korsgaard wrote:
>>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
>
> > On 10/03/16 17:01, Peter Korsgaard wrote:
> >> So this is what is used when you change password through the busybox
> >> passwd applet or create a new user, right?
> >>
> >> Shouldn't we instead tweak this based on BR2_TARGET_GENERIC_PASSWD_*?
>
> > Yes.
> > This is the lowest-common which is guaranteed to work on all
> > scenarios, once we decide/switch to sha256 as default we can update it
> > here, but i wouldn't defer this until then.
>
> Ehh, yes - But if you have enabled E.G BR2_TARGET_GENERIC_PASSWD_SHA512
> then that is what the busybox passwd applet should use. Having it do md5
> instead of des is still wrong.
Peter, you yourself said that we should limit the amount of KCONFIG_* fixups
we do. And there is no other way to make it depend on the
BR2_TARGET_GENERIC_PASSWD_* choice.
Regards,
Arnout
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-10 19:43 [Buildroot] [PATCH] busybox: use md5 as default password algorithm Gustavo Zacarias
2016-03-10 20:01 ` Peter Korsgaard
@ 2016-03-22 23:03 ` Thomas Petazzoni
2016-03-24 20:54 ` Peter Korsgaard
1 sibling, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2016-03-22 23:03 UTC (permalink / raw)
To: buildroot
Hello,
On Thu, 10 Mar 2016 16:43:10 -0300, Gustavo Zacarias wrote:
> DES is terribly outdated and a security vulnerability.
>
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
> package/busybox/busybox.config | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to master, thanks.
I've (obviously) read the discussion with Peter, but I believe the
issue he is raising is different. We already have our Busybox
configuration default to "des", which is not consistent with the algo
choice made by the user in the Buildroot configuration. So switching to
"md5" is not making things any worse from that perspective.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH] busybox: use md5 as default password algorithm
2016-03-22 23:03 ` Thomas Petazzoni
@ 2016-03-24 20:54 ` Peter Korsgaard
0 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2016-03-24 20:54 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@free-electrons.com> writes:
Hi,
> I've (obviously) read the discussion with Peter, but I believe the
> issue he is raising is different. We already have our Busybox
> configuration default to "des", which is not consistent with the algo
> choice made by the user in the Buildroot configuration. So switching
> to "md5" is not making things any worse from that perspective.
True. It would be good if we could make busybox default to the algorithm
we've selected in buildroot, but that can be done later.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-03-24 20:54 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-10 19:43 [Buildroot] [PATCH] busybox: use md5 as default password algorithm Gustavo Zacarias
2016-03-10 20:01 ` Peter Korsgaard
2016-03-10 20:03 ` Gustavo Zacarias
2016-03-10 22:00 ` Peter Korsgaard
2016-03-11 0:10 ` Arnout Vandecappelle
2016-03-22 23:03 ` Thomas Petazzoni
2016-03-24 20:54 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox