|| ||email@example.com |
|| ||firstname.lastname@example.org |
|| ||openSUSE-SU-2011:0921-2: moderate: yast2-core: Adjust to fix crypt_blowfish 8-bit character mishandling |
|| ||Fri, 26 Aug 2011 15:08:19 +0200 (CEST)|
|| ||Article, Thread
openSUSE Security Update: yast2-core: Adjust to fix crypt_blowfish 8-bit character mishandling
Announcement ID: openSUSE-SU-2011:0921-2
An update that fixes one vulnerability is now available. It
includes two new package versions.
This update contains yast2 core changes to change the hash
generation of new passwords to the new secure style.
Please read the general notes below:
The implementation of the blowfish based password hashing
method had a bug affecting passwords that contain 8bit
characters (e.g. umlauts). Affected passwords are
potentially faster to crack via brute force methods
SUSE's crypt() implementation supports the blowfish
password hashing function (id $2a) and system logins by
default also use this method. This update eliminates the
bug in the $2a implementation. After installing the update
existing $2a hashes therefore no longer match hashes
generated with the new, correct implementation if the
password contains 8bit characters. For system logins via
PAM the pam_unix2 module activates a compat mode and keeps
processing existing $2a hashes with the old algorithm. This
ensures no user gets locked out. New passwords hashes are
created with the id "$2y" to unambiguously identify them as
generated with the correct implementation.
Note: To actually migrate hashes to the new algorithm all
users are advised to change passwords after the update.
Services that do not use PAM but do use crypt() to store
passwords using the blowfish hash do not have such a compat
mode. That means users with 8bit passwords that use such
services will not be able to log in anymore after the
update. As workaround administrators may edit the service's
password database and change stored hashes from $2a to $2x.
This will result in crypt() using the old algorithm. Users
should be required to change their passwords to make sure
they are migrated to the correct algorithm.
Q: I only use ASCII characters in passwords, am I a
affected in any way? A: No.
Q: What's the meaning of the ids before and after the
update? A: Before the update: $2a -> buggy algorithm
After the update: $2x -> buggy algorithm $2a -> correct
algorithm $2y -> correct algorithm
System logins using PAM have a compat mode enabled by
default: $2x -> buggy algorithm $2a -> buggy algorithm $2y
-> correct algorithm
Q: How do I require users to change their password on next
login? A: Run the following command as root for each user:
chage -d 0 <username>
Q: I run an application that has $2a hashes in it's
password database. Some users complain that they can not
log in anymore. A: Edit the password database and change
the "$2a" prefix of the affected users' hashes to "$2x".
They will be able to log in again but should change their
Q: How do I turn off the compat mode for system logins? A:
Set BLOWFISH_2a2x=no in /etc/default/passwd
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.4:
zypper in -t patch yast2-core-5028
- openSUSE 11.3:
zypper in -t patch yast2-core-5028
To bring your system up-to-date, use "zypper patch".
- openSUSE 11.4 (i586 x86_64) [New Version: 2.20.1]:
- openSUSE 11.3 (i586 x86_64) [New Version: 2.19.4]:
to post comments)