Package: libpam-modules Version: 1.1.8-3.1 Severity: normal Tags: security Steps to reproduce: 1) Edit /etc/pam.d/common-password and change
password [success=1 default=ignore] pam_unix.so obscure sha512 to password [success=1 default=ignore] pam_unix.so obscure sha512 remember=12 2) Use 'passwd' to change your password. 3) Observe how /etc/security/opasswd contains MD5 hashed version of the password even though sha512 option is used with pam_unix. (It is marked with "$1$" when "$6$" would indicate SHA512). More info: 1) The save_old_password() function in modules/pam_unix/passverify.c seems to be hardcoded to call crypt_md5_wrapper() in all cases. 2) This causes the remember=12 option to lower the security of the system unintentionally. 3) A workaround seems to be to use the pam_pwhistory.so module. Proposed solutions: 1) Document the limitation of pam_unix.so's remember= option, or 2) Fix the remember= option, or 3) Remove the remember= option. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages libpam-modules depends on: ii debconf [debconf-2.0] 1.5.56 ii libaudit1 1:2.4-1+b1 ii libc6 2.19-18 ii libdb5.3 5.3.28-9 ii libpam-modules-bin 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libselinux1 2.3-2 libpam-modules recommends no packages. libpam-modules suggests no packages. -- debconf information: libpam-modules/disable-screensaver: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org