LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   shadow password hashes (http://www.linuxquestions.org/questions/linux-security-4/shadow-password-hashes-877196/)

themanwhowas 04-26-2011 11:19 AM

shadow password hashes
 
Hey guys

Two questions, 1 - Is the following correct:

The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used. A salt follows this, followed by the password hash. When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.

So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?


question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?


Thank you

nomb 04-26-2011 11:27 AM

Quote:

Originally Posted by themanwhowas (Post 4336923)
Hey guys

Two questions, 1 - Is the following correct:

The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used. A salt follows this, followed by the password hash. When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.

So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?


question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?


Thank you

Just after a quick once over that looks correct.

Some distros have a command which will change all the appropriate files for you, but in a nutshell you will need to change PAM and the system itself.

Take a look at (again may be different in other distros):
/etc/pam.d/password
/etc/default/password
/etc/login.defs

After you change the type of hash, you will have to regenerate the password hashes for your users.

anomie 04-26-2011 12:32 PM

Quote:

Originally Posted by nomb
Some distros have a command which will change all the appropriate files for you, but in a nutshell you will need to change PAM and the system itself.

That's right. It is a good idea to include your distro / version in your initial post.

Quote:

Originally Posted by nomb
After you change the type of hash, you will have to regenerate the password hashes for your users.

Just to add some clarity: the original (pre-change) hash will still be supported in the sense that users with existing passwords should still be able to authenticate. But any passwd(1) changes from that point (post-change) going forward will use the new hash. You could conceivably have a shadow(5) file that contains users with both hash types.


All times are GMT -5. The time now is 01:46 AM.