Bug 833 – One-way hashing algorithm

Bug 833 - One-way hashing algorithm


Summary:	One-way hashing algorithm

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.22
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-05-10 09:29 MDT by Dhiraj
Modified:	2018-05-10 11:14 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dhiraj 2018-05-10 09:29:48 MDT

Hi Todd, 

/plugins/sudoers/auth/passwd.c:83 

i.e

epass = (char *) crypt(pass, pw_epasswd);

The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment such as (CWE-327). 


Using a different algorithm, such as SHA-256, with a larger, non-repeating salt, would be much better.


Please advise for same.



Thank you 
Dhiraj

Comment 1 Todd C. Miller 2018-05-10 11:14:56 MDT

That code is only used to verify a user's system password and is not even compiled on PAM systems. There's actually no guarantee of what the password algorithm or the max password length might be, these are system-dependent.

It seems like you are just searching the sudo source tree for the use of certain functions without really understanding the underlying code.