1

I'm trying to change programmatically a user's password, and got a few messages I can't explain along the way.

I ran this command to start with:

sudo usermod -p "$(openssl passwd -1 newpassword)" theuser

No error got printed, but next time I logged in, I got this message:

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jan 30 16:22:41 2017 from 193.50.110.1 Wrong salt length: 0 bytes when 8 <= n <= 16 expected.

I tried another encryption method:

sudo usermod -p "$(openssl passwd -crypt newpassword)" theuser

Still no error, but the message changed:

Wrong salt length: 0 bytes when 8 <= n <= 16 expected.

I finally tried something else, using mkpasswd to have a stronger encryption (related to this post):

sudo usermod -p "$(mkpasswd --method=sha-512 newpassword)" theuser

This time, the error disappeared, so I believe this was related to the hash algorithm strength. What I don't understand is which algorithm can and should be used to generate a password.

Which algorithms can be safely used with mkpasswd to avoid the message error? Does that also mean mkpasswd command is ran at startup?

UPDATE: I forgot to mention I had these messages using a Raspbian Jessie Lite. I also found some strings containing this error message in mkpasswd.c source on rfc1036/whois GitHub repository.

Community
  • 1
dashdashzako
  • 113
  • 1
    You should use --method=sha-512, because -1 and -crypt select obsolete, weak methods. But that doesn't explain the error message. -1 and -crypt are insecure but they should work, functionally speaking. – Gilles 'SO- stop being evil' Jan 31 '17 at 00:33
  • Hi @Gilles, thanks for the information, this could be an accepted answer if that was one hehe. I wasn't expecting weak encryption to be present in that part of the code, but may be it is kept for compatibility purpose. That being said, It raises another question which is why the message popping here, and what is the inner mechanism that triggers it. – dashdashzako Jan 31 '17 at 07:39
  • Do not expect openssl to protect you against using insecure algorithms. Its interface is badly designed and it's difficult to use securely even if you know what you're doing. – Gilles 'SO- stop being evil' Jan 31 '17 at 10:55
  • Is there any way to now what is the lowest encryption that would be safe to use? – dashdashzako Feb 01 '17 at 17:37
  • 1
    The only portable, secure methods are sha-256 and sha-512. You know that, um, unfortunately not because the documentation tells you, you have to figure it out by asking around (and figuring out who can give you reliable answers...). – Gilles 'SO- stop being evil' Feb 01 '17 at 18:01

0 Answers0