[Buildroot] [PATCH 2/2] system cfg: remove passwd MD5 format
Yann E. MORIN
yann.morin.1998 at free.fr
Wed Dec 5 21:55:42 UTC 2018
Matt, All,
On 2018-12-05 10:33 -0600, Matt Weber spake thusly:
> As SHA256 is now default, removing weak MD5 option. C libraries now
> all support the SHA methods.
> glibc 2.7+
> uclibc (bdd8362a88 package/uclibc: defconfig: enable sha-256...)
> musl 1.1.14+
>
> One issue this would prevent is a host tool issue with a FIPS enabled
> system where weak ciphers/methods are disabled. The crypt(3) call
> checks /proc/sys/crypto/fips_enabled and would result in mkpasswd
> returning "crypt failed." Rather then create a host dependency check
> this patch removes the potential issue.
>
> Cc: Yann E. MORIN <yann.morin.1998 at free.fr>
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998 at free.fr>
Regards,
Yann E. MORIN.
> ---
> Config.in.legacy | 8 ++++++++
> system/Config.in | 10 ----------
> 2 files changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/Config.in.legacy b/Config.in.legacy
> index 02321c8..d70654c 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -143,6 +143,14 @@ comment "----------------------------------------------------"
> endif
>
> ###############################################################################
> +
> +config BR2_TARGET_GENERIC_PASSWD_MD5
> + bool "target passwd md5 format support has been removed"
> + select BR2_LEGACY
> + help
> + The default has been moved to SHA256 and all C libraries
> + now support that method by default
> +
> comment "Legacy options removed in 2018.11"
>
> config BR2_TARGET_XLOADER
> diff --git a/system/Config.in b/system/Config.in
> index 2123d33..9a87b1b 100644
> --- a/system/Config.in
> +++ b/system/Config.in
> @@ -68,16 +68,6 @@ choice
>
> Note: this is used at build-time, and *not* at runtime.
>
> -config BR2_TARGET_GENERIC_PASSWD_MD5
> - bool "md5"
> - help
> - Use MD5 to encode passwords.
> -
> - The default. Wildly available, and pretty good.
> - Although pretty strong, MD5 is now an old hash function, and
> - suffers from some weaknesses, which makes it susceptible to
> - brute-force attacks.
> -
> config BR2_TARGET_GENERIC_PASSWD_SHA256
> bool "sha-256"
> help
> --
> 1.9.1
>
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list