Bug #17135
Don't store the admin password in cleartext
0%
Description
The Greeter currently stores the user-chosen admin password unhashed in /var/lib/gdm3/tails.password
. In /etc/gdm3/PostLogin/Default
, the password is then set via chpasswd
and /var/lib/gdm3/tails.password
is removed.
IMO, passwords should never be stored in cleartext. Instead, we should store them hashed and use chpasswd -e
to set them.
This will also make it easier to persist the password, as part of persisting the Greeter options, which I plan to work on.
Subtasks
History
#1 Updated by segfault 2019-10-08 15:34:30
- Description updated
#2 Updated by segfault 2019-10-08 15:36:14
Using chpasswd -e
does not seem to be a good idea, because then chpasswd won’t use PAM to generate the password.
#3 Updated by segfault 2019-10-08 16:31:29
segfault wrote:
> Using chpasswd -e
does not seem to be a good idea, because then chpasswd won’t use PAM to generate the password.
PAM uses the hash algorithm configured in /etc/login.defs
, which is SHA512. So it should be fine if we generate the password with mkpasswd --method=sha512crypt
and then set it via chpasswd -e
. mkpasswd
also takes care of generating a salt.
#4 Updated by segfault 2019-10-08 16:44:17
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|71b72ab2eda52fb35ab71c00d0578086a61a2bee.
#5 Updated by intrigeri 2019-10-09 19:50:50
4.0 is now frozen but if the changes are not invasive, given we have good test coverage for this IIRC, I’m open to making a freeze exception for it.
#6 Updated by intrigeri 2019-10-21 11:46:18
- Target version changed from Tails_4.0 to Tails_4.1
#7 Updated by segfault 2019-12-03 09:44:03
- Target version changed from Tails_4.1 to Tails_4.2
- Feature Branch set to bugfix/17135-store-admin-pw-hashed
#8 Updated by CyrilBrulebois 2020-01-07 18:00:42
- Target version changed from Tails_4.2 to Tails_4.3
#9 Updated by anonym 2020-02-11 15:26:12
- Target version changed from Tails_4.3 to Tails_4.4
#10 Updated by CyrilBrulebois 2020-03-12 09:55:59
- Target version changed from Tails_4.4 to Tails_4.5
#11 Updated by CyrilBrulebois 2020-04-07 17:05:17
- Target version changed from Tails_4.5 to Tails_4.6
#12 Updated by CyrilBrulebois 2020-05-06 04:28:57
- Target version changed from Tails_4.6 to Tails_4.7