LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   changing the /etc/shadow hash algo. (http://www.linuxquestions.org/questions/linux-security-4/changing-the-etc-shadow-hash-algo-471646/)

zerg4141 08-07-2006 12:21 PM

changing the /etc/shadow hash algo.
 
I was wondering if/how to change the hashes in shadow from MD5 to some other (better) hash like SHA512 or Whirlpool. I know there must be a way since the only standards that I am aware of right now are DES and MD5...stuff which security minded people couldn't sleep at night if there was no way to deal with that.

Any good articles out there or easy ways to do this with PAM or something? I've looked around a little, but haven't found anything specifically for this.

--Zerg4141

Lotharster 08-07-2006 03:55 PM

I think the only way to change the algorithm to something other than MD5 od DES wouold me to tinker with the source code.
However, doing that is not neccessary. Although vulnerabilities have been found in both algorithms, they do not apply to the way these algorithms are used by shadow. MD5-shadowed passwords definitely cannot be recovered. You can check if you are using MD5 by looking for the string $1$ after the username. Here's an example from my /etc/shadow (slightly changed, of course):
Code:

root:$1$8TgOeHrR$Ud55Ft7....
I suggest you do a google search on "md5 vulerability" and the shadow program.

Lotharster

primo 08-07-2006 08:32 PM

The algorithm isn't vanilla MD5 but based on it. The alternative is another based on Blowfish. See:
http://www.openwall.com/pam/
http://www.openwall.com/crypto/

Ideally, it should be as easy as it is on Solaris and *BSD to change it (by configuring /etc/pam.d/system-auth, for example) but I don't know why it isn't a standard on Linux yet.


All times are GMT -5. The time now is 12:19 PM.