Fixes #37614 - Use SHA512 for password hashing when no OS is set

In e2dee7d the default for new operating systems was changed to SHA512, but there's an edge case where no is know for a host that makes it use SHA256. SHA512 has been the recommended value for hashing since EL5 and at least in EL6 it was also the default (didn't have EL5 on hand to check /etc/login.defs).
theforeman · Jul 1, 2024 · 0151ddb · 0151ddb
1 parent f2e6bca
commit 0151ddb
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/app/models/concerns/host_common.rb b/app/models/concerns/host_common.rb
@@ -171,7 +171,7 @@ def crypt_pass(unencrypted_pass, pass_kind)
 
     case pass_kind
     when :root
-      operatingsystem.nil? ? PasswordCrypt.passw_crypt(unencrypted_pass) : PasswordCrypt.passw_crypt(unencrypted_pass, operatingsystem.password_hash)
+      PasswordCrypt.passw_crypt(unencrypted_pass, operatingsystem&.password_hash)
     when :grub
       PasswordCrypt.grub2_passw_crypt(unencrypted_pass)
     else

diff --git a/app/services/password_crypt.rb b/app/services/password_crypt.rb
@@ -2,6 +2,10 @@
 
 class PasswordCrypt
   ALGORITHMS = {'SHA512' => '$6$', 'SHA256' => '$5$', 'Base64' => '', 'Base64-Windows' => ''}
+  # Matches ENCRYPT_METHOD in /etc/login.defs on EL6+
+  # When changing this, be sure to add a migration for operatingsystems'
+  # default value
+  DEFAULT_HASH_ALGORHITHM = 'SHA512'
 
   if Foreman::Fips.md5_available?
     ALGORITHMS['MD5'] = '$1$'
@@ -12,7 +16,8 @@ def self.generate_linux_salt
     SecureRandom.alphanumeric(16)
   end
 
-  def self.passw_crypt(passwd, hash_alg = 'SHA256')
+  def self.passw_crypt(passwd, hash_alg = nil)
+    hash_alg ||= DEFAULT_HASH_ALGORHITHM
     raise Foreman::Exception.new(N_("Unsupported password hash function '%s'"), hash_alg) unless ALGORITHMS.has_key?(hash_alg)
 
     case hash_alg