Archwiki: Change your password hashes from MD5 (Default) to SHA
Posted by comhack | Filed under Archlinux, Linux, Security
To begin with, I know I have not blogged in a few weeks but I have been a bit busy here lately, but I plan on posting a lot more as soon as I can.
Anyway, I ran across this tip the other day on the Archlinux wiki and thought it was an very important and beneficial practice for any Linux user to follow. The directions may differ depending on the distro but it is very important and worth looking into:
In commons Linux distribution, login passwords are encrypted and stored in the file /etc/shadow. The algorithm used for that purpose is MD5 which is usually know to have some weaknesses due to collision issues. This means someone gaining access to this password file could use these flaws to reverse back the MD5 encryption and thus find out the clear passwords. For that reason and because the basic Arch Linux installation uses MD5, it is advised to use a more robust encryption algorythm such as SHA.
In the below examples, sha512 may be used instead of sha256, for even stronger cryptography. SHA2
Editing the Necessary Files
Editing /etc/pam.d/passwd
You must be root to edit this file. What you will probably see is something like this:
#%PAM-1.0
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2\ retry=3
#password required pam_unix.so md5\ shadow use_authtok
password required pam_unix.so md5\ shadow nullokA more detailed explanation of those options is available in the pam man pages, but what we are interested in is the option md5.
Replace md5 to sha256, or sha512 (recommended by the NSA for RHEL5).
After doing so, the file should look like this:
#%PAM-1.0
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2\ retry=3
#password required pam_unix.so md5\ shadow use_authtok
password required pam_unix.so sha512\ shadow nullokEditing /etc/default/passwd
You will also need root access to edit this file. It most likely looks like this:
# This file contains some information\ for
# the passwd (1) command and other\ tools
# creating or modifying passwords.# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des# Use another crypt hash for group passwowrds.
# This is used by gpasswd, fallback is\ the CRYPT entry.
# GROUP_CRYPT=des# We can override the default for a\ special service
# by appending the service name (FILES,\ YP, NISPLUS, LDAP)# for local files, use a more secure\ hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special\ options for
# a hash (variable is prepended by the\ name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=5# For NIS, we should always use DES:
CRYPT_YP=desOnce again, the change is very simple. Change
CRYPT=des
to
CRYPT=sha512
or whatever SHA-2 encryption you are using.Final Steps
Even though you have changed the encryption, your passwords are not automatically rehashed!
To fix this, you must reset all user passwords so that they can be rehashed.
As root, the command
# passwd
whereis the name of the user whose password you are changing, will allow you to do this. Simply re-enter their current password, and it will be rehashed to the more secure SHA-2 version! To verify that your passwords have been rehashed, check the /etc/shadow file as root. Passwords hashed with sha256 should begin with a $5 (passwords hashed with sha512 will begin with $6).
https://wiki.archlinux.org/index.php/SHA_password_hashes
NOTE: The \ symbol means that the text following it is on the same line. My columns on my Blog are not wide enough to display the full line.
Leave a Reply
You must be logged in to post a comment.
...