| View previous topic :: View next topic |
| Author |
Message |
kamikaze04
Guru
Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain
|
 Posted: Sun Feb 26, 2006 11:00 am Post subject: About length of /etc/shadow hashes |
 |
|
Looking at my shadow file, i've found this:
| Code: |
.
.
.
user1::VMM6rgiPs3K1a:13203:0:99999:7:::
user2:$1$uHh56Du8$4lVLDgcsYZsCJ7YN38V2u/:13203:0:99999:7:::
.
.
.
|
Why some users have one length of hash and others longer?
I've usually seen all my hashes like user2, but for user1 i changed password with webmin...so i think it could be related with that...the thing is...why both users can log in?
Thanks a log
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
| Back to top |
|
 |
Houdini
Apprentice
Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
|
| Posted: Sun Feb 26, 2006 6:12 pm Post subject: |
|
|
Does user1 work? That extra : indicates that the user has no password hash, and thus can probably log in without a password. Try that locally (since you may have SSHd configured to not allow null passwords.
_________________
^]:wq |
|
| Back to top |
|
|
kamikaze04
Guru
Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain
|
| Posted: Sun Feb 26, 2006 6:44 pm Post subject: |
|
|
Sorry i copy/pasted an ":" extra... 
Yeah, both users work with their passwords...
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
| Back to top |
|
|
Houdini
Apprentice
Joined: 14 Jun 2002
Posts: 224
Location: New Mexico Tech, Socorro, NM
|
| Posted: Sun Feb 26, 2006 7:48 pm Post subject: |
|
|
| kamikaze04 wrote: | Sorry i copy/pasted an ":" extra...
Yeah, both users work with their passwords... |
Oh, good. The way it was originally would have resulted in me saying "you got 0wned, start from scratch". 
The "$1$" on the second one implies it is an MD5 hash (I think). The lack of $N$ on the first one means it's probably an old crypt() password. Your system will deal with a few strange hash types without complaint, which is why they both work. Webmin (evidently) is still using crypt(), which isn't as secure. I would read up on getting it to use MD5, SHA1, or something stronger.
Basically, don't worry too much about it. Passwords that look like user1 are "less" secure. If you're running a server or other high-risk target, change the password again with the command line. Otherwise, not. Either way, convince webmin to do the right thing whenever you have some time/energy to mess with it.
_________________
^]:wq |
|
| Back to top |
|
|
kamikaze04
Guru
Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain
|
| Posted: Sun Feb 26, 2006 8:53 pm Post subject: |
|
|
Thanks a lot...very instructive your answer
Thanks again
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
| Back to top |
|
|
|
Networking & Security
