Possible security issue with blowfish shadow passwords

Kevin Day thekevinday at gmail.com
Thu Mar 15 10:08:37 PDT 2007


On 3/1/07, Stefan Krah <stefan-usenet at bytereef.org> wrote:
> The list did not accept my mail, so I resend it privately:
>
> Kevin Day <thekevinday at gmail.com> wrote:
> > > example:
> > >
> > > password = abcd
> > > 1) a = fail
> > > 2) acdd = fail
> > > 3) acdde = fail
> > > 4) abcd = pass
> > > 5) abcde = pass
> > > 6) abcd09824t6jkdjf93t293tiwegfskjeg = pass
> > > !!
>
> > Unfortunately, the password I am using (in which I do not want to
> > reveal if at all possible) is the only password that will seem to
> > break blowfish as far as I have tested.
>
>
> Is your password longer than 72 bytes? I think it's highly unlikely
> that blowfish is at fault. You can check against the OpenBSD
> implementation like this:
>
>
> wget http://www2.mindrot.org/files/py-bcrypt/py-bcrypt-0.1.tar.gz &&
> tar xvzf py-bcrypt-0.1.tar.gz &&
> cd py-bcrypt-0.1 &&
> python setup.py install
>
>
> Use two small scripts:
>
> hashit.py
> ========================================================================
> #!/usr/bin/env python
>
>
> import bcrypt
>
>
> def raw_input_strip(string):
>     return raw_input(string).strip()
>
> password = raw_input_strip("Password: ")
>
> print bcrypt.hashpw(password, bcrypt.gensalt())
> ========================================================================
>
>
> checkpasswd.py
> ========================================================================
> #!/usr/bin/env python
>
>
> import bcrypt
>
>
> def raw_input_strip(string):
>     return raw_input(string).strip()
>
> password = raw_input_strip("Password: ")
>
> print bcrypt.hashpw(password, bcrypt.gensalt())
> ========================================================================
>
>
> Example:
>
> stefan at canberra:/tmp> ./hashit.py
> Password: abcd
> $2a$12$p9ZKPwYvajybCUArduwPz.HvTTtXWAFuV5O7FI56FlRFq8EcNGJ7W
>
> stefan at canberra:/tmp> ./checkpass.py
> Hashed: $2a$12$p9ZKPwYvajybCUArduwPz.HvTTtXWAFuV5O7FI56FlRFq8EcNGJ7W
> Password: abcd
> $2a$12$p9ZKPwYvajybCUArduwPz.HvTTtXWAFuV5O7FI56FlRFq8EcNGJ7W
>
> stefan at canberra:/tmp> ./checkpass.py
> Hashed: $2a$12$p9ZKPwYvajybCUArduwPz.HvTTtXWAFuV5O7FI56FlRFq8EcNGJ7W
> Password: abcda
> $2a$12$p9ZKPwYvajybCUArduwPz.q3GZYAcoe8m.X0vRmj5EkH9wEecC3.e
>
>
>
> Stefan Krah
>

And so, I end up finding a security flaw of sorts in Linux-PAM.
Way back when, where I "accidentally" discovered that it accepted and
created passwords when changing md5 to blowfish (for when I had the
shadow-blowfish patch.
I later re-compiled without blowfish in shadow and forgot to change
blowfish back to md5.
I then noticed, it still generated passwords that the blowfish system
would accept.
I have not seen what encrypted blowfish passwords looked like, but
thanks to the above I was able to catch the problem.

-->So, I am not using blowfish at all.<--
Changing Linux-PAM to something_other_than_md5 still creates some sort
of valid password under Linux-PAM.  Perhaps it defaults to the basic
linux passwords instead of generating an error on unsupported password
encryptions.

What I said in the mess above is that, on any unknown encryptions in
the /etc/pam.d/{passwd,login} files will result in not an error, but
the generation of some (much weaker) password encryption that is
easily broken.

Looks like I might have to drop Linux-PAM afterall.

(as a side note, I also managed to get other passwords to cause the
breakage under the invalid Linux-PAM configuration)

-- 
Kevin Day



More information about the hlfs-dev mailing list