14 January, 2010

Setting User Passwords Longer Than 8 Characters

When creating Red Hat/CentOS appliances using Studio & Studio2 the passwords accepted for root and user accounts are truncated to 8 characters as they're encrypted using the very limited crypt function.

To use md5 hashes instead you need to generate an md5 hash on an existing Linux system, like:

[root@will cli]# adduser tmpuser
[root@will cli]# passwd tmpuser
Changing password for user tmpuser.
New UNIX password: [enter a long password, over 8 chars]
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Then grab the hash:

[root@will cli]# grep tmpuser /etc/shadow
tmpuser:$1$PhmFj24Z$nu/7FF2813kKiEt2DWiB81:14623:0:99999:7:::

In this case we want: $1$PhmFj24Z$nu/7FF2813kKiEt2DWiB81

Escape the dollar signs with a \ character for each: \$1\$PhmFj24Z\$nu/7FF2813kKiEt2DWiB81

Now edit your build profile XML file for the appliance you are working on and change the vadk:passwordFormat value to "des" and the vadk:password value to the escaped hash.

for example:

<vadk:User vadk:username="myuser" vadk:password="\$1\$PhmFj24Z\$nu/7FF2813kKiEt2DWiB81" vadk:passwordFormat="des" vadk:fullname="My User" vadk:uid=""/>

Don't mind that the passwordFormat says "des" when in fact we're using md5 hashes, it's a goofy misnomer for "already encrypted, just use the specified string".

And build. Boot your new appliance and try to login with only the first 8 characters of the specified password, now you should be denied as the full password is respected.