Package: login Version: 1:4.13+dfsg1-1+b1 Severity: normal Tags: patch Dear Maintainer,
/etc/login.defs contains this: # # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # # Note: It is recommended to use a value consistent with # the PAM modules configuration. # ENCRYPT_METHOD SHA512 Which would make the user think that SHA512 is being used. However, in reality, it's YESCRYPT that is being used, because that is what PAM uses. Thefore the default debian configuration does not adhere to its own advice in the file, where the values should be consistent both in /etc/login.defs and in PAM. Patch attached to make the value in /etc/login.defs consistent with PAM. -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages login depends on: ii libaudit1 1:3.0.9-1 ii libc6 2.36-9+deb12u1 ii libcrypt1 1:4.4.33-2 ii libpam-modules 1.5.2-6 ii libpam-runtime 1.5.2-6 ii libpam0g 1.5.2-6 login recommends no packages. login suggests no packages. -- no debconf information
>From b12158ecf8c9f85a3870d5fca64335d09f339df6 Mon Sep 17 00:00:00 2001 From: Your Name <y...@example.com> Date: Mon, 7 Aug 2023 19:07:17 +0000 Subject: [PATCH] use consistent algorithm --- debian/login.defs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/login.defs b/debian/login.defs index bc129779..40f8c74a 100644 --- a/debian/login.defs +++ b/debian/login.defs @@ -291,7 +291,7 @@ USERGROUPS_ENAB yes # Note: It is recommended to use a value consistent with # the PAM modules configuration. # -ENCRYPT_METHOD SHA512 +ENCRYPT_METHOD YESCRYPT # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -- 2.39.2