Project

General

Profile

Bug #17135

Don't store the admin password in cleartext

Added by segfault about 1 month ago. Updated 26 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

The Greeter currently stores the user-chosen admin password unhashed in /var/lib/gdm3/tails.password. In /etc/gdm3/PostLogin/Default, the password is then set via chpasswd and /var/lib/gdm3/tails.password is removed.

IMO, passwords should never be stored in cleartext. Instead, we should store them hashed and use chpasswd -e to set them.

This will also make it easier to persist the password, as part of persisting the Greeter options, which I plan to work on.

Associated revisions

Revision 71b72ab2 (diff)
Added by segfault about 1 month ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

Revision 40df5d14 (diff)
Added by segfault about 1 month ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

Revision 0ad35790 (diff)
Added by segfault about 1 month ago

Store admin password hashed and salted instead of in cleartext (refs: #17135)

By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.

PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.

History

#1 Updated by segfault about 1 month ago

  • Description updated (diff)

#2 Updated by segfault about 1 month ago

Using chpasswd -e does not seem to be a good idea, because then chpasswd won't use PAM to generate the password.

#3 Updated by segfault about 1 month ago

segfault wrote:

Using chpasswd -e does not seem to be a good idea, because then chpasswd won't use PAM to generate the password.

PAM uses the hash algorithm configured in /etc/login.defs, which is SHA512. So it should be fine if we generate the password with mkpasswd --method=sha512crypt and then set it via chpasswd -e. mkpasswd also takes care of generating a salt.

#4 Updated by segfault about 1 month ago

  • Status changed from Confirmed to In Progress

#5 Updated by intrigeri about 1 month ago

4.0 is now frozen but if the changes are not invasive, given we have good test coverage for this IIRC, I'm open to making a freeze exception for it.

#6 Updated by intrigeri 26 days ago

  • Target version changed from Tails_4.0 to Tails_4.1

Also available in: Atom PDF