Use SHA-512 by default for password encryption.

Encode passwords using SHA-512 by default. Users can override this in a Kickstart file using the 'auth' command. The options below determine the algorithm used: --enablemd5 -or- --passalgo=md5 MD5 --passalgo=sha256 SHA-256 --passalgo=sha512 SHA-512 The previous default was MD5. glibc now supports SHA-256 and SHA-512, so we are using the strongest of those choices by default now.
author: David Cantrell <dcantrell@redhat.com> 2008-02-20 08:10:59 -1000
committer: David Cantrell <dcantrell@redhat.com> 2008-02-20 08:10:59 -1000
commit: 42f95909a18d2a2ae64109ccba8fcb2a681dd555 (patch)
tree: 612bb34715b8a1327022e1a9924bfefe9e822ad6 /instdata.py
parent: 4a1ba1a6a002651ecb5687aba6d0586647a57d8c (diff)
download: anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.gz
anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.xz
anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.zip
1 files changed, 32 insertions, 18 deletions
diff --git a/instdata.py b/instdata.py
index b90af8d6b..e1175f2fe 100644
--- a/instdata.py
+++ b/instdata.py
@@ -72,7 +72,7 @@ class InstallData:
         self.timezone.setTimezoneInfo(self.instLanguage.getDefaultTimeZone())
         self.users = None
         self.rootPassword = { "isCrypted": False, "password": "", "lock": False }
-	self.auth = "--enableshadow --enablemd5"
+	self.auth = "--enableshadow --passalgo=sha512"
 	self.desktop = desktop.Desktop()
         self.upgrade = None
         if flags.cmdline.has_key("doupgrade"):
@@ -150,12 +150,20 @@ class InstallData:
     def setUpgrade (self, bool):
         self.upgrade = bool
 
-    def write(self):
-        if self.auth.find("--enablemd5"):
-            useMD5 = True
+    # Reads the auth string and returns a string indicating our desired
+    # password encoding algorithm.
+    def getPassAlgo(self):
+        if self.auth.find("--enablemd5") != -1 or \
+           self.auth.find("--passalgo=md5") != -1:
+            return 'md5'
+        elif self.auth.find("--passalgo=sha256") != -1:
+            return 'sha256'
+        elif self.auth.find("--passalgo=sha512") != -1:
+            return 'sha512'
         else:
-            useMD5 = False
+            return None
 
+    def write(self):
         self.instLanguage.write (self.anaconda.rootPath)
 
         if not self.isHeadless:
@@ -175,16 +183,21 @@ class InstallData:
         except RuntimeError, msg:
                 log.error("Error running %s: %s", args, msg)
 
-	self.network.write (self.anaconda.rootPath)
-	self.firewall.write (self.anaconda.rootPath)
+        self.network.write (self.anaconda.rootPath)
+        self.firewall.write (self.anaconda.rootPath)
         self.security.write (self.anaconda.rootPath)
 
         self.users = users.Users()
 
+        # make sure crypt_style in libuser.conf matches the salt we're using
+        users.createLuserConf(self.anaconda.rootPath,
+                              algoname=self.getPassAlgo())
+
         # User should already exist, just without a password.
         self.users.setRootPassword(self.rootPassword["password"],
-                                   self.rootPassword["isCrypted"], useMD5,
-                                   self.rootPassword["lock"])
+                                   self.rootPassword["isCrypted"],
+                                   self.rootPassword["lock"],
+                                   algo=self.getPassAlgo())
 
         self.users.reset()
 
@@ -202,19 +215,20 @@ class InstallData:
                                        root=self.anaconda.rootPath)
 
             for ud in self.ksdata.user.userList:
-                if not self.users.createUser(ud.name, ud.password, ud.isCrypted,
-                                             ud.groups, ud.homedir, ud.shell,
-                                             ud.uid, ud.lock,
+                if not self.users.createUser(name=ud.name,
+                                             password=ud.password,
+                                             isCrypted=ud.isCrypted,
+                                             groups=ud.groups,
+                                             homedir=ud.homedir,
+                                             shell=ud.shell,
+                                             uid=ud.uid,
+                                             algo=self.getPassAlgo(),
+                                             lock=ud.lock,
                                              root=self.anaconda.rootPath):
                     log.error("User %s already exists, not creating." % ud.name)
 
 
     def writeKS(self, filename):
-        if self.auth.find("--enablemd5"):
-            useMD5 = True
-        else:
-            useMD5 = False
-
 	f = open(filename, "w")
 
 	f.write("# Kickstart file automatically generated by anaconda.\n\n")
@@ -243,7 +257,7 @@ class InstallData:
         if self.rootPassword["isCrypted"]:
             args = " --iscrypted %s" % self.rootPassword["password"]
         else:
-            args = " --iscrypted %s" % users.cryptPassword(self.rootPassword["password"], useMD5)
+            args = " --iscrypted %s" % users.cryptPassword(self.rootPassword["password"], algo=self.getPassAlgo())
 
         if self.rootPassword["lock"]:
             args += " --lock"
author	David Cantrell <dcantrell@redhat.com>	2008-02-20 08:10:59 -1000
committer	David Cantrell <dcantrell@redhat.com>	2008-02-20 08:10:59 -1000
commit	42f95909a18d2a2ae64109ccba8fcb2a681dd555 (patch)
tree	612bb34715b8a1327022e1a9924bfefe9e822ad6 /instdata.py
parent	4a1ba1a6a002651ecb5687aba6d0586647a57d8c (diff)
download	anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.gz anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.tar.xz anaconda-42f95909a18d2a2ae64109ccba8fcb2a681dd555.zip