Project

General

Profile

Bug #17135

Don't store the admin password in cleartext

Added by segfault 6 months ago. Updated about 20 hours ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
bugfix/17135-store-admin-pw-hashed
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

The Greeter currently stores the user-chosen admin password unhashed in /var/lib/gdm3/tails.password. In /etc/gdm3/PostLogin/Default, the password is then set via chpasswd and /var/lib/gdm3/tails.password is removed.

IMO, passwords should never be stored in cleartext. Instead, we should store them hashed and use chpasswd -e to set them.

This will also make it easier to persist the password, as part of persisting the Greeter options, which I plan to work on.

Associated revisions

Revision 71b72ab2 (diff)
Added by segfault 6 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

Revision 40df5d14 (diff)
Added by segfault 6 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 0ad35790 (diff)
Added by segfault 6 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision a45f0928 (diff)
Added by segfault 2 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 320c7494 (diff)
Added by segfault 2 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 427685a9 (diff)
Added by segfault 2 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 394c8b76 (diff)
Added by segfault 2 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 3d98e883 (diff)
Added by segfault about 2 months ago

Add a script which checks if PAM uses SHA512 to hash passwords (refs: #17135)

Revision 12734876 (diff)
Added by segfault about 2 months ago

Store the name of the hash function along with the hashed password (refs: #17135)

... so that we can detect when the hashed password becomes incompatible
with the PAM config (in case that the hash function used by PAM
changes).

Revision c4bb0340 (diff)
Added by segfault about 2 months ago

Make sure that the password does not get hashed twice (refs: #17135)

Revision 05bc0c68 (diff)
Added by segfault about 2 months ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision b0e273bf (diff)
Added by segfault about 2 months ago

Add a script which checks if PAM uses SHA512 to hash passwords (refs: #17135)

Revision 78e73c51 (diff)
Added by segfault about 2 months ago

Store the name of the hash function along with the hashed password (refs: #17135)

... so that we can detect when the hashed password becomes incompatible
with the PAM config (in case that the hash function used by PAM
changes).

Revision 62cf8403 (diff)
Added by segfault about 2 months ago

Make sure that the password does not get hashed twice (refs: #17135)

History

#1 Updated by segfault 6 months ago

  • Description updated (diff)

#2 Updated by segfault 6 months ago

Using chpasswd -e does not seem to be a good idea, because then chpasswd won't use PAM to generate the password.

#3 Updated by segfault 6 months ago

segfault wrote:

Using chpasswd -e does not seem to be a good idea, because then chpasswd won't use PAM to generate the password.

PAM uses the hash algorithm configured in /etc/login.defs, which is SHA512. So it should be fine if we generate the password with mkpasswd --method=sha512crypt and then set it via chpasswd -e. mkpasswd also takes care of generating a salt.

#4 Updated by segfault 6 months ago

  • Status changed from Confirmed to In Progress

#5 Updated by intrigeri 6 months ago

4.0 is now frozen but if the changes are not invasive, given we have good test coverage for this IIRC, I'm open to making a freeze exception for it.

#6 Updated by intrigeri 6 months ago

  • Target version changed from Tails_4.0 to Tails_4.1

#7 Updated by segfault 4 months ago

  • Target version changed from Tails_4.1 to Tails_4.2
  • Feature Branch set to bugfix/17135-store-admin-pw-hashed

#8 Updated by CyrilBrulebois 3 months ago

  • Target version changed from Tails_4.2 to Tails_4.3

#9 Updated by anonym about 2 months ago

  • Target version changed from Tails_4.3 to Tails_4.4

#10 Updated by CyrilBrulebois 27 days ago

  • Target version changed from Tails_4.4 to Tails_4.5

#11 Updated by CyrilBrulebois about 20 hours ago

  • Target version changed from Tails_4.5 to Tails_4.6

Also available in: Atom PDF