The default algorithm for storing password hashes in /etc/shadow is MD5. I was told to use SHA-512 hashing algorithm. How do I set password hashing using the SHA-256 and SHA-512 under CentOS or Redhat Enterprise Linux 5.4?
You need to use authconfig command to setup SHA-256/512 hashing. This command provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided.
Display Current Hashing Algorithm
Type the following command:
# authconfig --test | grep hashing
Sample outputs:
password hashing algorithm is md5
Configure Linux Server To Use The SHA-512
To configure the Linux system to use the SHA-512 algorithm, enter:
# authconfig --passalgo=sha512 --update
Note users need to change their passwords in order to generate hashes using SHA-512. You can force users to change their password on next login:
# chage -d 0 userName
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 14 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Is it works in Debian?
This message appear
authconfig: Unknown password hashing algorithm specified, using sha256.
I have solved this problem by replacing this command
authconfig –passalgo=SHA512 –update
to
authconfig –passalgo=sha512 –update
Because no algorithm called SHA512
Best Regards
Hi Vivek,
This is an Interesting post. Thanks for writing it.
BTW, would you modify
# authconfig –passalgo=SHA512 –update
to lowercase “sha512” as iCroc observed ?
I’ve found this little article for Debian based systems.
You could change the default MD5 algorithm for the more secure Blowfish.
On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:
First, install the libpam-unix2 module. That can be done simply via APT, Debian’s software management system, using the command
# apt-get install libpam-unix2
Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace pam_unix.so with pam_unix2.so.
Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.
Cheers!
@ iCroc / Philippe
Thanks for pointing out the typo.
@ kubrick,
Thanks for sharing Debian specific information.
nice tip, thx :)
the algorithm corresponds to the second parameter in shadow passwords entries
user:$1$abcdef…
$1$ is md5 while $6$ is sha512, $0$ should be old des and $2$ blowfish I think
man crypt ;)
I updated my local users digest “by hand” by modifying the “ENCRYPT_METHOD” directive directly in login.defs, but I didn’t that -more elegant- way to do
Thnaks Vivek
Fedora 12 by Default uses SHA-512
CentOS-5.4 by Default uses MD5
Ubuntu by Default uses MD5, But the command Not Found
Try kubrick comment # 5, it may work on Ubuntu too…
Actually Ubuntu is sha512 in 9.04 and 9.10. I don’t remember changing anything related to PAM so that should be the default
sha-512 should not be used for passwords. nor should md5 – you need some kind of HMAC solution instead – see hashcat speeds for a great example of what’s really weak.
does it affect other passwords like application servers installed in the same linux box?
Warning does not seem to work, if you use openldap clients. I have not found the correct syntax to add openldap client support.
Awesome Blossom :) thx