≡ Menu

Linux Upgrade Password Hashing Algorithm to SHA-512

The default algorithm for storing password hashes in /etc/shadow is MD5. I was told to use SHA-512 hashing algorithm. How do I set password hashing using the SHA-256 and SHA-512 under CentOS or Redhat Enterprise Linux 5.4?

You need to use authconfig command to setup SHA-256/512 hashing. This command provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided.

Display Current Hashing Algorithm

Type the following command:
# authconfig --test | grep hashing
Sample outputs:

password hashing algorithm is md5

Configure Linux Server To Use The SHA-512

To configure the Linux system to use the SHA-512 algorithm, enter:
# authconfig --passalgo=sha512 --update
Note users need to change their passwords in order to generate hashes using SHA-512. You can force users to change their password on next login:
# chage -d 0 userName

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 14 comments… add one }
  • Andrii November 11, 2009, 12:52 pm

    Is it works in Debian?

  • iCroc November 11, 2009, 2:29 pm

    This message appear

    authconfig: Unknown password hashing algorithm specified, using sha256.

  • iCroc November 11, 2009, 10:19 pm

    I have solved this problem by replacing this command
    authconfig –passalgo=SHA512 –update
    to
    authconfig –passalgo=sha512 –update

    Because no algorithm called SHA512

    Best Regards

  • Philippe Petrinko November 12, 2009, 10:56 am

    Hi Vivek,
    This is an Interesting post. Thanks for writing it.

    BTW, would you modify
    # authconfig –passalgo=SHA512 –update

    to lowercase “sha512” as iCroc observed ?

  • kubrick November 12, 2009, 11:16 am

    I’ve found this little article for Debian based systems.
    You could change the default MD5 algorithm for the more secure Blowfish.

    On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:

    First, install the libpam-unix2 module. That can be done simply via APT, Debian’s software management system, using the command
    # apt-get install libpam-unix2
    Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace pam_unix.so with pam_unix2.so.
    Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.

    Cheers!

  • nixCraft November 12, 2009, 1:17 pm

    @ iCroc / Philippe

    Thanks for pointing out the typo.

    @ kubrick,

    Thanks for sharing Debian specific information.

  • j0rn November 24, 2009, 11:45 pm

    nice tip, thx :)
    the algorithm corresponds to the second parameter in shadow passwords entries

    user:$1$abcdef…

    $1$ is md5 while $6$ is sha512, $0$ should be old des and $2$ blowfish I think

    man crypt ;)

    I updated my local users digest “by hand” by modifying the “ENCRYPT_METHOD” directive directly in login.defs, but I didn’t that -more elegant- way to do

  • KING SABRI January 11, 2010, 1:38 am

    Thnaks Vivek

    Fedora 12 by Default uses SHA-512
    CentOS-5.4 by Default uses MD5
    Ubuntu by Default uses MD5, But the command Not Found

  • nixCraft January 11, 2010, 4:46 am

    Try kubrick comment # 5, it may work on Ubuntu too…

  • wedgeshot April 7, 2010, 2:43 pm

    Actually Ubuntu is sha512 in 9.04 and 9.10. I don’t remember changing anything related to PAM so that should be the default

  • chris July 30, 2012, 8:54 am

    sha-512 should not be used for passwords. nor should md5 – you need some kind of HMAC solution instead – see hashcat speeds for a great example of what’s really weak.

  • william October 23, 2012, 2:35 am

    does it affect other passwords like application servers installed in the same linux box?

  • Jan Gerrit Kootstra April 5, 2016, 9:38 pm

    Warning does not seem to work, if you use openldap clients. I have not found the correct syntax to add openldap client support.

  • Arsalan May 23, 2016, 6:31 pm

    Awesome Blossom :) thx

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , , , , ,