Hashed passwords stored as MD5 hashes in /etc/shadow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
system-config-kickstart (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned |
Bug Description
The root password (if specified) and initial user account password (required) are encrypted using an (insecure) MD5 hash. The resulting kickstart file will build virtual machines that store the MD5 hashed password in /etc/shadow for the root and/or initial user.
Currently Ubuntu uses SHA512 for storing hashed passwords in /etc/shadow, but MD5 still works for the sake of backwards compatibility. Using MD5 hashes for any passwords is highly insecure and should be avoided.
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
$ lsb_release -rd
Description: Ubuntu 18.10
Release: 18.10
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
$ apt-cache policy system-
system-
Installed: 2.5.20-0ubuntu25
Candidate: 2.5.20-0ubuntu25
Version table:
*** 2.5.20-0ubuntu25 500
500 http://
500 http://
100 /var/lib/
3) What you expected to happen
I expected system-
4) What happened instead
system-
information type: | Private Security → Public Security |
tags: | added: rls-dd-incoming |
Changed in system-config-kickstart (Ubuntu): | |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in system-config-kickstart (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in system-config-kickstart (Ubuntu): | |
assignee: | Canonical Foundations Team (canonical-foundations) → nobody |
tags: | added: id-5c93b5ed0e88b83056419916 |
tags: | removed: rls-dd-incoming |
tags: | added: fr-294 |
Changed in system-config-kickstart (Ubuntu): | |
status: | Triaged → Invalid |
I can fix this bug if someone can point me to the source repo. I found https:/ /github. com/rhinstaller /system- config- kickstart on-line, but I'm not sure if Ubuntu pulls from the RHEL source repo so I don't know if fixing it there will help or not.