Linux Upgrade Password Hashing Algorithm to SHA-512

Posted on in Categories , , , , last updated November 12, 2009

The default algorithm for storing password hashes in /etc/shadow is MD5. I was told to use SHA-512 hashing algorithm. How do I set password hashing using the SHA-256 and SHA-512 under CentOS or Redhat Enterprise Linux 5.4?

You need to use authconfig command to setup SHA-256/512 hashing. This command provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided.

Display Current Hashing Algorithm

Type the following command:
# authconfig --test | grep hashing
Sample outputs:

password hashing algorithm is md5

Configure Linux Server To Use The SHA-512

To configure the Linux system to use the SHA-512 algorithm, enter:
# authconfig --passalgo=sha512 --update
Note users need to change their passwords in order to generate hashes using SHA-512. You can force users to change their password on next login:
# chage -d 0 userName

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 14 comments/add one below):

14 comment

  1. I’ve found this little article for Debian based systems.
    You could change the default MD5 algorithm for the more secure Blowfish.

    On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:

    First, install the libpam-unix2 module. That can be done simply via APT, Debian’s software management system, using the command
    # apt-get install libpam-unix2
    Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace pam_unix.so with pam_unix2.so.
    Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.

    Cheers!

  2. nice tip, thx :)
    the algorithm corresponds to the second parameter in shadow passwords entries

    user:$1$abcdef…

    $1$ is md5 while $6$ is sha512, $0$ should be old des and $2$ blowfish I think

    man crypt ;)

    I updated my local users digest “by hand” by modifying the “ENCRYPT_METHOD” directive directly in login.defs, but I didn’t that -more elegant- way to do

  3. sha-512 should not be used for passwords. nor should md5 – you need some kind of HMAC solution instead – see hashcat speeds for a great example of what’s really weak.

Leave a Comment