OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Password Generation during RH Linux 6.x Installation
From: Fabian Kroenner (escherSPOILED.ORG)
Date: Thu Jun 08 2000 - 13:56:38 CDT

On Wed, Jun 07, 2000 at 11:21:42AM -0400, William R. Lorenz wrote:
> It seems as though, when entering a root password during RH Linux 6.x
> installation, the generated password, stored in the shadowed passwords file
> (/etc/shadow) does not contain a salt. This has occured on three separate
> machines, and after the root password is changed using the `passwd` command,
> the salt is included in the encrypted password, as it should be. Can anyone
> confirm this observation and provide more details? Thanks, in advance.

The issue has been reported to Red Hat in Oct 1999, and to BugTraq in
Jan 2000. If affects the installer in Red Hat 6.0 & 6.1. The root
password set during installation is never using MD5 encryption, but
plain-old crypt(3) instead. It does not affect user-accounts generated
during install.

Changing the root password after installation is highly recommended on
Red Hat Linux 6.0 & 6.1. Red Hat has not issued an official advisory
on this.

See also:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=5542
http://www.securityportal.com/list-archive/bugtraq/2000/Jan/0273.html

Regards...
Fabian
__________________________________________________________________
pub 1024D/19AB6A00 1999-12-14 Fabian Kroenner <escherspoiled.org>
key fingerprint: 2311 6D40 FE1F 9D94 77AD 20CA 2F38 AD9E 19AB 6A00