Bug 833

Summary: One-way hashing algorithm
Product: Sudo Reporter: Dhiraj <mishra.dhiraj95>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.8.22   
Hardware: PC   
OS: Linux   

Description Dhiraj 2018-05-10 09:29:48 MDT 
Hi Todd, 

/plugins/sudoers/auth/passwd.c:83 

i.e

epass = (char *) crypt(pass, pw_epasswd);

The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment such as (CWE-327). 


Using a different algorithm, such as SHA-256, with a larger, non-repeating salt, would be much better.


Please advise for same.



Thank you 
Dhiraj
Comment 1 Todd C. Miller 2018-05-10 11:14:56 MDT 
That code is only used to verify a user's system password and is not even compiled on PAM systems. There's actually no guarantee of what the password algorithm or the max password length might be, these are system-dependent.

It seems like you are just searching the sudo source tree for the use of certain functions without really understanding the underlying code.