Ubuntu
whois package

mkpasswd interprets "rounds" as salt

Bug #1987683 reported by Brian Candler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whois (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The mkpasswd utility is given as the suggested way generating a hashed password, in the cloud-init documentation at https://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups

It has a "--rounds" option for specifying the number of rounds. However when used, this value is instead placed in the salt!

$ mkpasswd --rounds 4096 --method=SHA-512 abcd1234
$6$rounds=4096$Cx/QdVDyt306i5iI$YX/t7Xh6z2XvsBMyATbe7it8V7Pklk7NPbaFirLSW0vC71PI0.ItisRiI4gPzW.uSYQBGixBb/nzJKdjBNbGO.

A proper random salt is generated if you omit the number of rounds:

$ mkpasswd --method=SHA-512 abcd1234
$6$yQlrdhD2nd/iCDVo$f2wSU/h057tdTMwupXk4WPARyJgbKdiSqzf8Ghp9yHNI/tI7w3WEqkqUu8QAkSxA8YFRIGIeH3UUZIrfPtTYQ/

Is this a security vulnerability? Perhaps, if you use mkpasswd as documented, don't inspect its output, and don't realise that you're getting a static salt.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: whois 5.5.13
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Thu Aug 25 17:03:07 2022
InstallationDate: Installed on 2016-10-31 (2123 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
ProcEnviron:
 LANGUAGE=en_GB:en
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: whois
UpgradeStatus: Upgraded to jammy on 2022-08-25 (0 days ago)

Revision history for this message
Brian Candler (b-candler) wrote :
Revision history for this message
Marco d'Itri (md) wrote :

Come on. https://github.com/dchest/historic-password-hashes/blob/master/glibc-sha-crypt.txt

Revision history for this message
Brian Candler (b-candler) wrote :

How embarrassing. Very sorry!

Revision history for this message
Bryce Harrington (bryce) wrote :

:-)

"""
For the SHA-based methods the SALT string can be a simple string of
which up to 16 characters are used. The MD5-based implementation used
up to eight characters.. It was decided to allow one extension which
follows an invention Sun implemented in their pluggable crypt
implementation. If the SALT strings starts with

   rounds=<N>$

where N is an unsigned decimal number the numeric value of N is used
to modify the algorithm used. As will be explained later, the
SHA-based algorithm contains a loop which can be run an arbitrary
number of times. The more rounds are performed the higher the CPU
requirements are. This is a safety mechanism which might help
countering brute-force attacks in the face of increasing computing
power.

The default number of rounds for both algorithms is 5000.
"""

Changed in whois (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.