mkpasswd interprets "rounds" as salt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
whois (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The mkpasswd utility is given as the suggested way generating a hashed password, in the cloud-init documentation at https:/
It has a "--rounds" option for specifying the number of rounds. However when used, this value is instead placed in the salt!
$ mkpasswd --rounds 4096 --method=SHA-512 abcd1234
$6$rounds=
A proper random salt is generated if you omit the number of rounds:
$ mkpasswd --method=SHA-512 abcd1234
$6$yQlrdhD2nd/
Is this a security vulnerability? Perhaps, if you use mkpasswd as documented, don't inspect its output, and don't realise that you're getting a static salt.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: whois 5.5.13
ProcVersionSign
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
Date: Thu Aug 25 17:03:07 2022
InstallationDate: Installed on 2016-10-31 (2123 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
ProcEnviron:
LANGUAGE=en_GB:en
TERM=xterm-
PATH=(custom, no user)
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: whois
UpgradeStatus: Upgraded to jammy on 2022-08-25 (0 days ago)
Come on. https:/ /github. com/dchest/ historic- password- hashes/ blob/master/ glibc-sha- crypt.txt