FS#15913 - [shadow] Change default pw encryption to sha512
Attached to Project:
Arch Linux
Opened by Gerhard Brauer (GerBra) - Wednesday, 12 August 2009, 08:25 GMT
Last edited by Aaron Griffin (phrakture) - Monday, 17 August 2009, 20:15 GMT
Opened by Gerhard Brauer (GerBra) - Wednesday, 12 August 2009, 08:25 GMT
Last edited by Aaron Griffin (phrakture) - Monday, 17 August 2009, 20:15 GMT
|
Details
Description:
By default we currently use md5/DES encrypted user and group passwords. IMHO it is safer against brute-forcing to switch to sha512 as a default. We should change this on our defaults only, and maybe give a note to the user how and why he should switch this also on his installed system. To change the defaults (for new users and user passwd changes) these files have to be modified: a) /etc/pam.d/passwd -password required pam_unix.so md5 shadow nullok +password required pam_unix.so sha512 shadow nullok b) /etc/login.defs Add a entry: ENCRYPT_METHOD sha512 c) /etc/default/passwd This file should be revisit. According to man-page of passwd there are maybe some VARs that don't have an affect anymore. Ex: CRYPT=des According to manpage this is now also ENCRYPT_METHOD for passwd #GROUP_CRYPT Same here, man gpasswd refered also only to ENCRYPT_METHOD I'm not sure if the other settigs in this file still have any affect on current program versions... I saw no negative effect when i added: ENCRYPT_METHOD sha512 also to this file (and disabled CRYPT=) To take encrypt method switching to work the users have to change their passwords with passwd. After that you could see the better encryption hash in /etc/shadow. |
This task depends upon
Closed by Aaron Griffin (phrakture)
Monday, 17 August 2009, 20:15 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#13591
Monday, 17 August 2009, 20:15 GMT
Reason for closing: Duplicate
Additional comments about closing:
FS#13591: [pam] Use sha512 hash for passwords for improve local security