centos 7
crypto weakness #294


Weakness Breakdown


This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:



The highlighted line of code below is the trigger point of this particular Centos 7 crypto weakness.

 			fprintf(stderr, "%s login refused on this terminal.\n",
			if (hostname)
					"LOGIN %s REFUSED FROM %s ON TTY %s",
					pwd->pw_name, hostname, tty);
					"LOGIN %s REFUSED ON TTY %s",
					pwd->pw_name, tty);

		 * If no pre-authentication and a password exists
		 * for this user, prompt for one and verify it.
		if (!passwd_req || (pwd && !*pwd->pw_passwd))

		setpriority(PRIO_PROCESS, 0, -4);
		pp = getpass("Password:");
		p = crypt(pp, salt);
		setpriority(PRIO_PROCESS, 0, 0);


		 * If not present in pw file, act as we normally would.
		 * If we aren't Kerberos-authenticated, try the normal
		 * pw file for a password.  If that's ok, log the user
		 * in without issueing any tickets.

		if (pwd && !krb_get_lrealm(realm,1)) {
			 * get TGT for local realm; be careful about uid's
			 * here for ticket file ownership
			kerror = krb_get_pw_in_tkt(pwd->pw_name, "", realm,
				"krbtgt", realm, DEFAULT_TKT_LIFE, pp);
			if (kerror == INTK_OK) {
				bzero(pp, strlen(pp));
				notickets = 0;	/* user got ticket */

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.