Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But when I try to change the password of a user, I get following error,
Quote:
Code:
2020-07-31T15:44:08.543922+02:00 ltdvnis01 passwd[28521]: pam_unix(passwd:chauthtok): Algo blowfish not supported by the crypto backend, falling back to MD5
2020-07-31T15:44:08.550694+02:00 ltdvnis01 passwd[28521]: pam_unix(passwd:chauthtok): password changed for test1
So it could not use Blowfish and falls back to MD5. Also the hash key in /etc/shadow confirms this. As it is not $2$ as expected.
The SuSE Documentation however says,
Using Yast, one can select Blowfish Encryption, using ,
Quote:
Yast-->Security Overview-->
Password Encryption Method
Choose a password encryption algorithm. Normally there is no need to change the default(Blowfish).
I could not see Blowfish option in Yast.
So the question is , if it is default, should I still have to enable it somehow? If yes then how?
If not then how do I install and enable it?
Kindly provide me the pointers. Ofcourse I will also be searching google.
Are twofish or AES options? Blowfish is 27 years old. Also, Blowfish and MD5 are 2 completely separate things. MD5 is a hashing algorithm and not an encryption algorithm.
Okay. I know with SLES15 there are better encryption methods available SHA126 and SHA512 but the problem is, we have to support Sles12 and SuSE10 NIS Clients at the same time. So we have to find a middle solution. Hence Blowfish which is atleast better than MD5 or DES.
Just wish to have better UNIX passwords security.
So, SHA algorithms are not encryption algorithms, they are hashing algorithms, which are completely different things. They do not encrypt, they hash, or rather create digests. These are ONE WAY and you cannot retrieve data that has been hashed. This is how you would protect passwords on a Linux system for example.
Encryption is two-way, in that once you provide a key, you can decrypt and read the encrypted text. This is how you would protect sensitive files for example.
These two terms are frequently confused but mean completely different things.
Thanks for the clarification.
So what we want is secure hashing algorithm which works on both , SLES12 and SuSE10. I thought Blowfish would work on all. But somehow on SLES15 (eventhough Documentaion says it supports), I failed to enable/activate Blowfish.
OK - what are you trying to accomplish or are you "hardening" and trying to use better algorithms for user password storage on Suse? For example, how they are stored in /etc/shadow?
Hardening yes. But not for /etc/passwd . We are setting up new NIS Server on SLES15. We already have working NIS but on SuSE10. So we wish to setup a new one on latest OS. Keeping the SLES12 and SLES10 NIS Client funktionality intact.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.