Incorrect hash when you upload shadow with disabled accounts

Question

Incorrect hash when you upload shadow with disabled accounts

I-Iugo opened this issue 6 years ago · comments

When uploading a shadow file with disabled accounts the saved hashes are incorrect:

[29] pry> hash
"!$6$6koxvdtpg9ujf2$vdxh4nxxuqwzaqvmh2oxrmrz4p02rw4g8fpq.2tkwuyderil5fndrwin0qcx.daj6szqaox//e7f5d2nymglt."
[30] pry> hash =~ %r{^\$6\$[\.\/0-9A-Za-z]{4,9}\$[\.\/0-9A-Za-z]{86}$}
=> nil # because {4, 9} is too small and the hash starts with !

## Fixed
[33] pry> hash "$6$6koxvdtpg9ujf2$vdxh4nxxuqwzaqvmh2oxrmrz4p02rw4g8fpq.2tkwuyderil5fndrwin0qcx.daj6szqaox//e7f5d2nymglt."
[34] pry> %r{^\$6\$(rounds=\d+\$)?[a-z\d\/\.]{0,16}\$[a-z\d\/\.]{86}$}.match?(hash)
=> true

In order for this to work properly disabled accounts should be ignored in the shadow file and change the {4,9} to {4,16} in the sha512crypt regex. Adding an optional (rounds=\d+\$) should prevent parsing hashs that contain this pattern.

I'll send a PR!