Bug #241
LOGIN ACCEPT wrong Passwords
| Status: | New | Start: | 08/27/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | Spent time: | - | |
| Target version: | ncp3.1 |
Description
As posted by Stephan Hesse, NexentaOS accepts wrong logins for SSH, Console Login and su. (See: http://nexenta.org/boards/1/topics/957)
According to Stephan NCP 3.0 is affected - I verified against NexentaStor 3.0.3 Commercial Edition, same problem there. This is a rather serious bug.
He suggested for testing and I could verify with: try passwd root give by example: BillyBoy34 again BillyBoy34 logoff as root login with root give BillyBoy51
Additional Info, other combinations that worked with here wh. NexentaStor 3.0.3:
- Billyboy35blablablabla
- Type only first 8 characters of the password, with seven resulted in correct behaviour (= wrong password)
History
Updated by Mat Simon about 1 year ago
Update:
NexentaStor's NMV does not accept the wrong login data.
Updated by Bas van Oostveen about 1 year ago
Also see forum topic @ http://www.nexenta.org/boards/1/topics/957
Updated by Bas van Oostveen about 1 year ago
- Priority changed from High to Immediate
maybe this should be looked at as a security issue and fixed 0-day.instead of leaving it on this tracker.
could anybody from nexenta comment ?
Updated by Mat Simon about 1 year ago
- Priority changed from Immediate to Normal
- Target version set to ncp3.1
Since NCP is based on former ONNV and thus followed the tradition and backwards compatibilityof a quite long UNIX tradition ONNV is based upon, crypt_unix remained the default (but not anymore considered secure enough) password hashing algorithm in NexentaCore and NexentaStor. The package that would need to be changed in NCP 3.0.1 is sunwcsr (apt-file search /etc/security/policy.conf)).
I got a statement from Nexenta support, that this will be changed in the 3.1 series at least when speaking in terms of NexentaStor. No estimated time of arrival (ETA) yet. In meantime, for all those who want to switch to a more secure algorithm, can edit /etc/security/policy.conf and change default algorithm to 2a (Blowfish) and set crypt_unix to to deprecated.
Afterwards the users passwords need to be changed to be stored afterwrds with more than 8 characters. Be aware that this part is different from NexentaCore to NexentaStor especially when speaking about built-in admin and root user account., (-> RTFM)
--- policy.conf.orig 2010-06-26 21:48:36.172687139 +0200 +++ policy.conf 2010-06-26 21:48:51.697231495 +0200 @@ -41,13 +41,14 @@ # and change CRYPT_DEFAULT= to another algorithm. For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # -#CRYPTALGORITHMSDEPRECATE=unix +CRYPTALGORITHMSDEPRECATE=unix
# The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name unix is used to refer to it. # -CRYPT_DEFAULT=unix +CRYPT_DEFAULT=2a