LinuxQuestions.org - Shadow passwords - Changing encryption method from MD5 to SHA

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Shadow passwords - Changing encryption method from MD5 to SHA (https://www.linuxquestions.org/questions/linux-security-4/shadow-passwords-changing-encryption-method-from-md5-to-sha-766855/)

Shadow passwords - Changing encryption method from MD5 to SHA

Hey all,

I'm looking to find out exactly how to go about changing the encryption method of shadow passwords from MD5 to something a bit stronger, like SHA. I've been looking around for a bit now and haven't found out how to do it.

This is for CentOS 5.

I've gathered that I'll most likely need to change the /etc/pam.d/system-auth file. Right now, there is a line that looks like this:

Code:

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

I'm guessing the md5 should be changed to something else, like sha512.

What else? I know I'll need to reset all passwords once the change is made, but I thought there was someplace else that controls how the passwd command encrypts passwords.

Any suggestions please?

Thanks!

This will be a little different on various distros. On the RedHat family, you might be able to use system-config-authorization.

You might find this Q and A helpful, particularly this paragraph:

Quote:

If you make the change manually, you should first remove the "md5" option from the "password" PAM category only. Then re-set all local passwords using the "passwd" or "chpasswd" commands (the latter is suited for bulk password setting). Verify that all the passwords have been changed to the DES form, then remove the "md5" option from the "auth" PAM category.