LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-07-2006, 12:21 PM   #1
zerg4141
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian
Posts: 27

Rep: Reputation: 15
changing the /etc/shadow hash algo.


I was wondering if/how to change the hashes in shadow from MD5 to some other (better) hash like SHA512 or Whirlpool. I know there must be a way since the only standards that I am aware of right now are DES and MD5...stuff which security minded people couldn't sleep at night if there was no way to deal with that.

Any good articles out there or easy ways to do this with PAM or something? I've looked around a little, but haven't found anything specifically for this.

--Zerg4141
 
Old 08-07-2006, 03:55 PM   #2
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 15
I think the only way to change the algorithm to something other than MD5 od DES wouold me to tinker with the source code.
However, doing that is not neccessary. Although vulnerabilities have been found in both algorithms, they do not apply to the way these algorithms are used by shadow. MD5-shadowed passwords definitely cannot be recovered. You can check if you are using MD5 by looking for the string $1$ after the username. Here's an example from my /etc/shadow (slightly changed, of course):
Code:
root:$1$8TgOeHrR$Ud55Ft7....
I suggest you do a google search on "md5 vulerability" and the shadow program.

Lotharster

Last edited by Lotharster; 08-07-2006 at 04:03 PM.
 
Old 08-07-2006, 08:32 PM   #3
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
The algorithm isn't vanilla MD5 but based on it. The alternative is another based on Blowfish. See:
http://www.openwall.com/pam/
http://www.openwall.com/crypto/

Ideally, it should be as easy as it is on Solaris and *BSD to change it (by configuring /etc/pam.d/system-auth, for example) but I don't know why it isn't a standard on Linux yet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using hash value as key for other hash in Perl scuzzman Programming 6 02-14-2006 05:08 PM
changing the font and shadow on the kde desktop minm Linux - Newbie 3 01-09-2005 06:35 AM
GCD Algo. Help dontcare Programming 2 10-16-2004 09:50 PM
/etc/shadow- (notice the dash after the word shadow) shellcode Linux - Security 1 09-03-2004 04:54 AM
Algo for Relatively prime No. LinuxTiro Programming 5 11-17-2003 09:02 PM


All times are GMT -5. The time now is 01:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration