The default algorithm for storing password hashes in /etc/shadow is MD5. I was told to use SHA-512 hashing algorithm. How do I set password hashing using the SHA-256 and SHA-512 under CentOS or Redhat Enterprise Linux 5.4?
You need to use authconfig command to setup SHA-256/512 hashing. This command provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided.
Display Current Hashing Algorithm
Type the following command:
# authconfig --test | grep hashing
Sample outputs:
password hashing algorithm is md5
Configure Linux Server To Use The SHA-512
To configure the Linux system to use the SHA-512 algorithm, enter:
# authconfig --passalgo=sha512 --update
Note users need to change their passwords in order to generate hashes using SHA-512. You can force users to change their password on next login:
# chage -d 0 userName
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 10 comments… read them below or add one }
Is it works in Debian?
This message appear
authconfig: Unknown password hashing algorithm specified, using sha256.
I have solved this problem by replacing this command
authconfig –passalgo=SHA512 –update
to
authconfig –passalgo=sha512 –update
Because no algorithm called SHA512
Best Regards
Hi Vivek,
This is an Interesting post. Thanks for writing it.
BTW, would you modify
# authconfig –passalgo=SHA512 –update
to lowercase “sha512″ as iCroc observed ?
I’ve found this little article for Debian based systems.
You could change the default MD5 algorithm for the more secure Blowfish.
On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:
First, install the libpam-unix2 module. That can be done simply via APT, Debian’s software management system, using the command
# apt-get install libpam-unix2
Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace pam_unix.so with pam_unix2.so.
Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.
Cheers!
@ iCroc / Philippe
Thanks for pointing out the typo.
@ kubrick,
Thanks for sharing Debian specific information.
nice tip, thx :)
the algorithm corresponds to the second parameter in shadow passwords entries
user:$1$abcdef…
$1$ is md5 while $6$ is sha512, $0$ should be old des and $2$ blowfish I think
man crypt ;)
I updated my local users digest “by hand” by modifying the “ENCRYPT_METHOD” directive directly in login.defs, but I didn’t that -more elegant- way to do
Thnaks Vivek
Fedora 12 by Default uses SHA-512
CentOS-5.4 by Default uses MD5
Ubuntu by Default uses MD5, But the command Not Found
Try kubrick comment # 5, it may work on Ubuntu too…
Actually Ubuntu is sha512 in 9.04 and 9.10. I don’t remember changing anything related to PAM so that should be the default