Bug 1223089

Summary: [doc] Issue in "Password settings options", DES is not the default and definitely not a secure one
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5 Reporter: Lukas Ocilka <locilka>
Component: DocumentationAssignee: Jana Halackova <jsindelarova>
Status: RESOLVED FIXED QA Contact: Frank Sundermeyer <fs>
Severity: Normal    
Priority: P5 - None CC: jreidinger
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: https://jira.suse.com/browse/DOCTEAM-1378
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Lukas Ocilka 2024-04-18 14:20:36 UTC 
Password settings options:

https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-configuration-installation-options.html#CreateProfile-Security-password

--- cut ---
4.28.1 Password settings options

Use this resource to activate one of the encryption methods currently supported. If not set, DES is configured.

DES, the Linux default method, works in all network environments, but it restricts you to passwords no longer than eight characters. MD5 allows longer passwords, thus provides more security, but some network protocols do not support this, and you may have problems with NIS. Blowfish is also supported.
--- cut ---

This paragraph tells the user that DES is the default encryption method, but it's so insecure that it can't be true. I think it might need some hints from the security team for a bigger rewrite.

In YaST/AutoYaST, the default can be found here
https://github.com/yast/yast-users/blob/SLE-15-SP5/src/lib/users/encryption_method.rb#L61

It's **sha512** (thx, jreidinger)
Comment 1 Lukas Ocilka 2024-04-18 14:23:23 UTC 
See also https://github.com/yast/yast-users/blob/SLE-15-SP5/src/lib/users/encryption_method.rb#L42-L58

    # "blowfish" is also known to UsersSimple, but it's not longer offered
    # as a valid option. See fate#312321

    LABELS = {
      # TRANSLATORS: encryption type
      "des"    => N_("DES"),
      # TRANSLATORS: encryption type
      "md5"    => N_("MD5"),
      # TRANSLATORS: encryption type
      "sha256" => N_("SHA-256"),
      # TRANSLATORS: encryption type
      "sha512" => N_("SHA-512")
    }.freeze
Comment 2 Tomáš Bažant 2024-04-29 08:54:00 UTC 
Thank you for reporting this bug!
It is being tracked and processed as part of our queue.
Comment 3 Jana Halackova 2024-06-05 11:34:11 UTC 
Tracked by https://github.com/SUSE/doc-sle/pull/1727