Difference between revisions of "SHA password hashes"

From ArchWiki
Jump to: navigation, search
(Why Should You Use SHA-2?: Grammar and clarity)
(Format, organization, style and clarity)
Line 1: Line 1:
 
[[Category:Security (English)]]
 
[[Category:Security (English)]]
{{Warning|fgetty doesn't support sha512 passwords, so you'll have to switch to mingetty or you will be locked out (regular agetty supports sha512 too)}}
 
 
==Why Should You Use SHA-2?==
 
==Why Should You Use SHA-2?==
 
In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.
 
In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.
  
In the below examples, ''sha512'' may be used instead of ''sha256'', for even stronger cryptography. [http://en.wikipedia.org/wiki/SHA-2 SHA2]
+
The following tutorial uses the ''sha512'' hash function, which has been  recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of three additional hash functions with digests that are 224, 256 or 384 bits.
 +
{{Warning|fgetty doesn't support sha512 passwords, so you'll have to switch to mingetty or you will be locked out (regular agetty supports sha512 too).}}
  
 
==Editing the Necessary Files==
 
==Editing the Necessary Files==
Line 15: Line 15:
 
A [http://linux.die.net/man/8/pam_unix more detailed explanation] of those options is available in the pam man pages, but what we are interested in is the option '''md5'''.
 
A [http://linux.die.net/man/8/pam_unix more detailed explanation] of those options is available in the pam man pages, but what we are interested in is the option '''md5'''.
  
Replace <tt>md5</tt> to <tt>sha256</tt>, or <tt>sha512</tt> (recommended by the NSA for RHEL5).  
+
Replace <tt>md5</tt> with <tt>sha512</tt>.  
  
 
The rounds=N parameter is for [http://en.wikipedia.org/wiki/Key_strengthening Key Strengthening] the choice of N has a more important impact on Security than the hashfunction in use! N = 65536 means that the Attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow, so he is slown down by that factor. Also this means that your box has to do 65536 hashes everytime you log in ... but even on slow computers that takes less than 1 second.
 
The rounds=N parameter is for [http://en.wikipedia.org/wiki/Key_strengthening Key Strengthening] the choice of N has a more important impact on Security than the hashfunction in use! N = 65536 means that the Attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow, so he is slown down by that factor. Also this means that your box has to do 65536 hashes everytime you log in ... but even on slow computers that takes less than 1 second.
Line 60: Line 60:
 
or whatever SHA-2 encryption you are using.
 
or whatever SHA-2 encryption you are using.
  
Note: It's unclear whether this is still necessary with the <tt>/etc/shadow</tt> mechanism.
+
{{Note|It's unclear whether this is still necessary with the <tt>/etc/shadow</tt> mechanism.}}
  
 
===Editing /etc/login.defs===
 
===Editing /etc/login.defs===

Revision as of 18:08, 3 May 2011

Why Should You Use SHA-2?

In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the MD5 algorithm. The security of the MD5 hash function has been severely compromised by collision vulnerabilities. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.

The following tutorial uses the sha512 hash function, which has been recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, SHA-2 consists of three additional hash functions with digests that are 224, 256 or 384 bits.

Warning: fgetty doesn't support sha512 passwords, so you'll have to switch to mingetty or you will be locked out (regular agetty supports sha512 too).

Editing the Necessary Files

Editing /etc/pam.d/passwd

You must be root to edit this file. What you will probably see is something like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so md5 shadow nullok

A more detailed explanation of those options is available in the pam man pages, but what we are interested in is the option md5.

Replace md5 with sha512.

The rounds=N parameter is for Key Strengthening the choice of N has a more important impact on Security than the hashfunction in use! N = 65536 means that the Attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow, so he is slown down by that factor. Also this means that your box has to do 65536 hashes everytime you log in ... but even on slow computers that takes less than 1 second.

After doing so, the file should look like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok rounds=65536

Editing /etc/default/passwd

You will also need root access to edit this file. It most likely looks like this:

# This file contains some information for
# the passwd (1) command and other tools 
# creating or modifying passwords.

# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des

# Use another crypt hash for group passwowrds.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=5

# For NIS, we should always use DES:
CRYPT_YP=des

Once again, the change is very simple. Change

CRYPT=des

to

CRYPT=sha512

or whatever SHA-2 encryption you are using.

Note: It's unclear whether this is still necessary with the /etc/shadow mechanism.

Editing /etc/login.defs

According to passwd's man page, this file has to be edited when the /etc/shadow mechanism is used for storing passwords. Add the following line (adjusted to whatever algorithm you use) to /etc/login.defs:

ENCRYPT_METHOD=SHA512

Final Steps

Even though you have changed the encryption, your passwords are not automatically rehashed!

To fix this, you must reset all user passwords so that they can be rehashed.

As root, the command

# passwd <username>

where <username> is the name of the user whose password you are changing, will allow you to do this. Simply re-enter their current password, and it will be rehashed to the more secure SHA-2 version!

To verify that your passwords have been rehashed, check the /etc/shadow file as root. Passwords hashed with sha256 should begin with a $5 (passwords hashed with sha512 will begin with $6).