Re: Are we still use md5 as default as password hash?
If there is no objection I’d go ahead and merge this? https://github.com/openwrt/openwrt/pull/14426 * busybox: enable sha hash for /etc/shadow * busybox: switch to sha256 for passwd Best, Paul > On Jan 19, 2024, at 08:38, abnoeh wrote: > > sorry, use_bcrypt isn't something in mainline busybox but a patched > vesrion so I think sha256 is best option here > > 2024-01-19 오후 4:28에 abnoeh 이(가) 쓴 글: >> that option only applies if we use busybox internal crypt, >> BUSYBOX_DEFAULT_USE_BB_CRYPT is set but we don't so it doesn't needed >> (it's using musl here) >> >> you'd need to change this option (line 1367) on same file >> >> config BUSYBOX_DEFAULT_FEATURE_DEFAULT_PASSWD_ALGO >> string >> default "md5" >> >> to something better like sha256 or sha512: this will make all new >> passwds to use new hash (shell or luci), but won't upgrade without user >> changing it first. but we'd better expose and set USE_BCRYPT of busybox >> option to be able to use bcrypt here (not sure routers cpu can handle it >> as it's made to be slow though. >> >> 2024-01-18 오후 8:21에 Paul Spooren 이(가) 쓴 글: >>> Hi, >>> however Busybox doesn't configed to use those and still use md5 as default, while we bring other hash algos into flash anyway: >>> Does the following do the trick? >>> >>> diff --git a/package/utils/busybox/Config-defaults.in >>> b/package/utils/busybox/Config-defaults.in >>> index b3c3f9a0b2..5ae8dd5622 100644 >>> --- a/package/utils/busybox/Config-defaults.in >>> +++ b/package/utils/busybox/Config-defaults.in >>> @@ -1333,7 +1333,7 @@ config BUSYBOX_DEFAULT_USE_BB_CRYPT >>> default n >>> config BUSYBOX_DEFAULT_USE_BB_CRYPT_SHA >>> bool >>> - default n >>> + default y >>> config BUSYBOX_DEFAULT_ADD_SHELL >>> bool >>> default n >>> >>> If so I’d create a PR >>> >>> Best, >>> Paul >>> ___ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> >> ___ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Are we still use md5 as default as password hash?
sorry, use_bcrypt isn't something in mainline busybox but a patched vesrion so I think sha256 is best option here 2024-01-19 오후 4:28에 abnoeh 이(가) 쓴 글: that option only applies if we use busybox internal crypt, BUSYBOX_DEFAULT_USE_BB_CRYPT is set but we don't so it doesn't needed (it's using musl here) you'd need to change this option (line 1367) on same file config BUSYBOX_DEFAULT_FEATURE_DEFAULT_PASSWD_ALGO string default "md5" to something better like sha256 or sha512: this will make all new passwds to use new hash (shell or luci), but won't upgrade without user changing it first. but we'd better expose and set USE_BCRYPT of busybox option to be able to use bcrypt here (not sure routers cpu can handle it as it's made to be slow though. 2024-01-18 오후 8:21에 Paul Spooren 이(가) 쓴 글: Hi, however Busybox doesn't configed to use those and still use md5 as default, while we bring other hash algos into flash anyway: Does the following do the trick? diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index b3c3f9a0b2..5ae8dd5622 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -1333,7 +1333,7 @@ config BUSYBOX_DEFAULT_USE_BB_CRYPT default n config BUSYBOX_DEFAULT_USE_BB_CRYPT_SHA bool - default n + default y config BUSYBOX_DEFAULT_ADD_SHELL bool default n If so I’d create a PR Best, Paul ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Are we still use md5 as default as password hash?
that option only applies if we use busybox internal crypt, BUSYBOX_DEFAULT_USE_BB_CRYPT is set but we don't so it doesn't needed (it's using musl here) you'd need to change this option (line 1367) on same file config BUSYBOX_DEFAULT_FEATURE_DEFAULT_PASSWD_ALGO string default "md5" to something better like sha256 or sha512: this will make all new passwds to use new hash (shell or luci), but won't upgrade without user changing it first. but we'd better expose and set USE_BCRYPT of busybox option to be able to use bcrypt here (not sure routers cpu can handle it as it's made to be slow though. 2024-01-18 오후 8:21에 Paul Spooren 이(가) 쓴 글: Hi, however Busybox doesn't configed to use those and still use md5 as default, while we bring other hash algos into flash anyway: Does the following do the trick? diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index b3c3f9a0b2..5ae8dd5622 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -1333,7 +1333,7 @@ config BUSYBOX_DEFAULT_USE_BB_CRYPT default n config BUSYBOX_DEFAULT_USE_BB_CRYPT_SHA bool - default n + default y config BUSYBOX_DEFAULT_ADD_SHELL bool default n If so I’d create a PR Best, Paul ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Are we still use md5 as default as password hash?
Hi, you will also need to enable additional ciphers in musl libc (disabling the crypt size hack). Please disregard that remark, it has already been pointed out that the hack is disabled by default since quite some time. ~ Jo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Are we still use md5 as default as password hash?
Hi, Does the following do the trick? you will also need to enable additional ciphers in musl libc (disabling the crypt size hack). ~ Jo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Are we still use md5 as default as password hash?
Hi, > however Busybox doesn't configed to use those and still use md5 as > default, while we bring other hash algos into flash anyway: Does the following do the trick? diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in index b3c3f9a0b2..5ae8dd5622 100644 --- a/package/utils/busybox/Config-defaults.in +++ b/package/utils/busybox/Config-defaults.in @@ -1333,7 +1333,7 @@ config BUSYBOX_DEFAULT_USE_BB_CRYPT default n config BUSYBOX_DEFAULT_USE_BB_CRYPT_SHA bool - default n + default y config BUSYBOX_DEFAULT_ADD_SHELL bool default n If so I’d create a PR Best, Paul ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Are we still use md5 as default as password hash?
old times there was a musl size hack that disabled everything except DES and md5, but that was disabled in 2021 Dec https://github.com/openwrt/openwrt/commit/66768755791286fc02a38d1b437a9da74290041d, allowing sha256,sha512 and blowfish however Busybox doesn't configed to use those and still use md5 as default, while we bring other hash algos into flash anyway: ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel