Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password hashes in /etc/shadow not SHA512 #209

Closed
ITNerdbox opened this issue Oct 16, 2023 · 1 comment · Fixed by #215
Closed

Password hashes in /etc/shadow not SHA512 #209

ITNerdbox opened this issue Oct 16, 2023 · 1 comment · Fixed by #215
Assignees
@ThibaultDewailly
Labels
enhancement

Comments

@ITNerdbox
Copy link

The default password hashing algorithm in Debian 12 is yescrypt, which apparently is a better to withstand offline password cracking compared to SHA512.

Currently I get the following message:

99.5.4.5.2_acc_shadow_sha [ KO ] User root has a password that is not SHA512 hashed.

Obviously, this is technically correct. However, considering this is apparently a better hashing algorithm, would it be possible to include this in the checks?

I can also understand this may be something that needs to be reported to CIS itself perhaps, thus this discussion.
@ThibaultDewailly
Copy link
Collaborator

Hello, and thank you for pointing it out.
You are right, yescrypt must be included as a valid hashing password.

Adding this in todo

@ThibaultDewailly ThibaultDewailly self-assigned this Nov 10, 2023
ThibaultDewailly added a commit that referenced this issue Nov 14, 2023
@ThibaultDewailly
fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4
8ad722a 
Fixes #209
@ThibaultDewailly ThibaultDewailly mentioned this issue Nov 14, 2023
Merged
ThibaultDewailly added a commit that referenced this issue Nov 14, 2023
@ThibaultDewailly
fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215)
670c8c6 
Fixes #209
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ThibaultDewailly ThibaultDewailly

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 ovh/debian-cis
2 participants
@ITNerdbox @ThibaultDewailly