| View previous topic :: View next topic |
| Author |
Message |
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 944
Location: USA
|
 Posted: Thu Jun 07, 2012 4:19 pm Post subject: changing /etc/shadows encryption |
 |
|
What's an easy way to change the encryption method? You can just edit /etc/login.defs and adjust the ENCRYPTION_METHOD, but you need to be careful if you are using pam. Does anyone know of an easier way?
_________________
cya |
|
| Back to top |
|
 |
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.
|
| Posted: Tue Jun 12, 2012 8:01 pm Post subject: |
|
|
Change that line in /etc/login.defs
| Code: | #ENCRYPT_METHOD DES
ENCRYPT_METHOD SHA512 |
Make sure the same hashing algorithm (not md5) is in /etc/pam.d/system-auth:
| Code: | | password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow |
This will only hash new passwords with the new algorithm, not existing ones. There is no way to convert the whole shadow file. Each login ID will have to go through a password change to make this happen. (You could use the chpasswd to batch change them, using a file containing userid:password entries, but users would then have to be notified of the temporary password and change it themselves.)
You can see which hashing algorithm has been used for each password by examining the /etc/shadow file: passwords hashed with sha512 should begin with '$6' (per the man page for 'crypt').
_________________
| patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
Last edited by Bones McCracker on Thu Jun 14, 2012 12:31 am; edited 2 times in total |
|
| Back to top |
|
|
Princess Nell
l33t
Joined: 15 Apr 2005
Posts: 916
|
| Posted: Wed Jun 13, 2012 10:42 pm Post subject: |
|
|
| Something isn't quite right here. I'm sure this is a part of my system that I've never touched, so it's running on defaults. /etc/login.defs does not declare ENCRYPT_METHOD, but says the default is DES. Yet, the shadow passwords are SHA-512, and pam is configured for sha512, too. Are the comments in login.defs wrong? |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.
|
| Posted: Wed Jun 13, 2012 11:58 pm Post subject: |
|
|
| Princess Nell wrote: | | Something isn't quite right here. I'm sure this is a part of my system that I've never touched, so it's running on defaults. /etc/login.defs does not declare ENCRYPT_METHOD, but says the default is DES. Yet, the shadow passwords are SHA-512, and pam is configured for sha512, too. Are the comments in login.defs wrong? |
I'm not sure about this.
Many of the settings in /etc/login.defs are preempted by settings in pam. It's possible that this is one of them, even though the login.defs file does not include a comment to that effect (as it does for some other settings).
However, it might be a good idea to change your login.defs file to match your pam entry. Even if pam preempts login.defs when you run the passwd utility, login.defs settings might still be used by some other utility (e.g., 'useradd'); you might as well make them agree.
It's also possible that the comments are simply inherited from upstream, and when Gentoo switched its default password hashing algorithm over to sha512 from md5 they opted not to enable ENCRYPTMETHOD_SELECT or opted not to enable certain hash algos. I think this is unlikely, but it could be confirmed by attempting to set hashing back to md5 in both places and making a password change (the string in /etc/shadow would start with $1).
_________________
| patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 944
Location: USA
|
| Posted: Thu Jun 14, 2012 4:58 pm Post subject: |
|
|
You can identify the type of encryption by the first couple of characters. For example $6$ is sha512.
_________________
cya |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.
|
| Posted: Thu Jun 14, 2012 8:47 pm Post subject: |
|
|
Yes. As I said:
| BoneKracker wrote: | | You can see which hashing algorithm has been used for each password by examining the /etc/shadow file: passwords hashed with sha512 should begin with '$6' (per the man page for 'crypt'). |
| BoneKracker wrote: | | ... set hashing back to md5 in both places and making a password change (the string in /etc/shadow would start with $1). |
_________________
| patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Tue Sep 16, 2014 11:25 am Post subject: |
|
|
Still the same question: Why seem passwords already sh512 encrypted here (starting with $6$ and /etc/pam.d/system-auth also has sha512), eventhough /etc/login.defs has no ENCRYPT_METHOD set and defaults to DES?
Just to be sure the currently best encryption is really active here...
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.
|
| Posted: Tue Sep 16, 2014 4:26 pm Post subject: |
|
|
Still the same answer
Many of the settings in /etc/login.defs are preempted by settings in pam. It's possible that this is one of them, even though the login.defs file does not include a comment to that effect (as it does for some other settings).
However, it might be a good idea to change your login.defs file to match your pam entry. Even if pam preempts login.defs when you run the passwd utility, login.defs settings might still be used by some other utility (e.g., 'useradd'); you might as well make them agree.
It's also possible that the comments are simply inherited from upstream, and when Gentoo switched its default password hashing algorithm over to sha512 from md5 they opted not to enable ENCRYPTMETHOD_SELECT or opted not to enable certain hash algos. I think this is unlikely, but it could be confirmed by attempting to set hashing back to md5 in both places and making a password change (the string in /etc/shadow would start with $1).
_________________
| patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Wed Sep 17, 2014 8:03 am Post subject: |
|
|
I agree, that login.defs should be synchronized with the Gentoo pam settings. This is worth a bug report (-> bug 522992). The login.defs should at least mention that it is obsolete and if used by other tools, it should be at least synchron with the pam settings.
However at the end of this manpage I find the hint, but on my current man login.defs there is nothing mentioned.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1771
Location: PB, Germany
|
| Posted: Mon Sep 22, 2014 7:08 am Post subject: |
|
|
Did you read the answer that is written in the bug and do you agree with that? I still think that man page and comments of login.defs is not matching the status when USE"pam" is enabled which is widely default.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
|
Other Things Gentoo
