Difference between revisions of "SHA password hashes"

From ArchWiki
Jump to: navigation, search
(Why Should You Use SHA-2?)
m (Fixes typo in my previous edit)
(47 intermediate revisions by 13 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
{{Warning|fgetty doesn't support sha512 passwords, so you'll have to switch to mingetty or you will be locked out (regular agetty supports sha512 too)}}
+
{{note|1= With {{pkg|shadow}} 4.1.4.3-3 ''sha512'' is the default for new passwords (see [https://bugs.archlinux.org/task/13591#comment85993 bug 13591]).}}
==Why Should You Use SHA-2?==
+
In common Linux distributions login passwords are hashed and stored in the file /etc/shadow. The algorithm used for that purpose is MD5 which is usually [http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities know to have some weaknesses due to collision issues]. This does not mean MD5 is insecure for password hashing but it would be nice to use a more secure algorithm that has no known weaknesses. For that reason and because the basic Arch Linux installation uses MD5, it is advised to use a more robust encryption algorythm such as SHA.
+
  
In the below examples, ''sha512'' may be used instead of ''sha256'', for even stronger cryptography. [http://en.wikipedia.org/wiki/SHA-2 SHA2]
+
If your current password was created with {{pkg|shadow}} version prior to 4.1.4.3-3 (2011-11-26) you are using MD5. To start using a SHA-512 hash you just need to change your password with ''passwd''.
  
==Editing the Necessary Files==
+
==Benefits of SHA-2 over MD5==
===Editing /etc/pam.d/passwd===
+
In Linux distributions login passwords are commonly hashed and stored in the {{ic|/etc/shadow}} file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (e.g. SHA-512) is recommended.
You must be root to edit this file. What you will probably see is something like this:
+
#%PAM-1.0
+
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+
#password required pam_unix.so md5 shadow use_authtok
+
password required pam_unix.so md5 shadow nullok
+
A [http://linux.die.net/man/8/pam_unix more detailed explanation] of those options is available in the pam man pages, but what we are interested in is the option '''md5'''.
+
  
Replace <tt>md5</tt> to <tt>sha256</tt>, or <tt>sha512</tt> (recommended by the NSA for RHEL5).  
+
The following tutorial uses the SHA-512 hash function, which has been recommended by the United States' National Security Agency (NSA) for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of four additional hash functions with digests that are 224, 256, 384, and 512 bits.
  
The rounds=N parameter is for [http://en.wikipedia.org/wiki/Key_strengthening Key Strengthening] the choice of N has a more important impact on Security than the hashfunction in use! N = 65536 means that the Attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow, so he is slown down by that factor. Also this means that your box has to do 65536 hashes everytime you log in ... but even on slow computers that takes less than 1 second.
+
==Increasing Security==
 +
{{note|You must have root privileges to edit this file.}}
 +
The {{ic|1=rounds=N}} option helps to improve [[Wikipedia:Key stretching|key strengthening]]. The number of rounds has a larger impact on security than the selection of a hash function. For example, {{ic|1=rounds=65536}} means that an attacker has to compute 65536 hashes for each password he tests against the hash in your {{ic|/etc/shadow}}. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the {{ic|rounds}} option, then glibc will '''default''' to '''5000''' rounds for SHA-512. Additionally, the default value for the {{ic|rounds}} option can be found in {{ic|sha512-crypt.c}}.
  
After doing so, the file should look like this:
+
Open {{ic|/etc/pam.d/passwd}} with a text editor and add the {{ic|rounds}} option at the end of of the uncommented line. After applying this change the line should look like this:
#%PAM-1.0
+
  password required pam_unix.so sha512 shadow nullok '''rounds=65536'''
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+
#password required pam_unix.so md5 shadow use_authtok
+
  password required pam_unix.so '''sha512''' shadow nullok '''rounds=65536'''
+
  
===Editing /etc/default/passwd===
+
{{note|For a more detailed explanation of the {{ic|/etc/pam.d/passwd}} password options check the [http://linux.die.net/man/8/pam_unix PAM man page].}}
You will also need root access to edit this file. It most likely looks like this:
+
# This file contains some information for
+
# the passwd (1) command and other tools
+
# creating or modifying passwords.
+
+
# Define default crypt hash
+
# CRYPT={des,md5,blowfish}
+
CRYPT=des
+
+
# Use another crypt hash for group passwowrds.
+
# This is used by gpasswd, fallback is the CRYPT entry.
+
# GROUP_CRYPT=des
+
+
+
# We can override the default for a special service
+
# by appending the service name (FILES, YP, NISPLUS, LDAP)
+
+
# for local files, use a more secure hash. We
+
# don't need to be portable here:
+
CRYPT_FILES=blowfish
+
# sometimes we need to specify special options for
+
# a hash (variable is prepended by the name of the
+
# crypt hash).
+
BLOWFISH_CRYPT_FILES=5
+
+
# For NIS, we should always use DES:
+
CRYPT_YP=des
+
Once again, the change is very simple.
+
Change
+
CRYPT=des
+
to
+
CRYPT=sha512
+
or whatever SHA-2 encryption you are using.
+
  
Note: It's unclear whether this is still necessary with the <tt>/etc/shadow</tt> mechanism.
+
==Re-Hash the Passwords==
 +
Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.
  
===Editing /etc/login.defs===
+
As root issue the following the command,
 +
# passwd <username>
 +
where {{ic|<username>}} is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed using the SHA-2 function.
  
According to <tt>passwd</tt>'s man page, this file has to be edited when the <tt>/etc/shadow</tt> mechanism is used for storing passwords. Add the following line (adjusted to whatever algorithm you use) to <tt>/etc/login.defs</tt>:
+
To verify that your passwords have been re-hashed, check the {{ic|/etc/shadow}} file as root. Passwords hashed with SHA-256 should begin with a {{ic|$5}} and passwords hashed with SHA-512 will begin with {{ic|$6}}.
  
ENCRYPT_METHOD=SHA512
+
==Known Problems==
 
+
===fgetty===
==Final Steps==
+
Arch Linux is using SHA-512 password hashing by default (since 2011-11-26). The very minimal terminal manager ''fgetty'' does not support SHA-512 password hashing by default. Enabling SHA-512 with the default ''fgetty'' will cause you to be locked out.
'''Even though you have changed the encryption, your passwords are not automatically rehashed!'''
+
A patched version of ''fgetty'' is in the [[Arch User Repository|AUR]] named {{AUR|fgetty-pam}} which adds SHA-512 support.
 
+
To fix this, you must reset all user passwords so that they can be rehashed.
+
 
+
As root, the command
+
# passwd '''<username>'''
+
where '''<username>''' is the name of the user whose password you are changing, will allow you to do this. Simply re-enter their current password, and it will be rehashed to the more secure SHA-2 version!
+
 
+
To verify that your passwords have been rehashed, check the /etc/shadow file as root. Passwords hashed with sha256 should begin with a '''$5''' (passwords hashed with sha512 will begin with '''$6''').
+

Revision as of 04:04, 30 June 2013

Note: With shadow 4.1.4.3-3 sha512 is the default for new passwords (see bug 13591).

If your current password was created with shadow version prior to 4.1.4.3-3 (2011-11-26) you are using MD5. To start using a SHA-512 hash you just need to change your password with passwd.

Benefits of SHA-2 over MD5

In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the MD5 algorithm. The security of the MD5 hash function has been severely compromised by collision vulnerabilities. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (e.g. SHA-512) is recommended.

The following tutorial uses the SHA-512 hash function, which has been recommended by the United States' National Security Agency (NSA) for Red Hat Enterprise Linux 5. Alternatively, SHA-2 consists of four additional hash functions with digests that are 224, 256, 384, and 512 bits.

Increasing Security

Note: You must have root privileges to edit this file.

The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option, then glibc will default to 5000 rounds for SHA-512. Additionally, the default value for the rounds option can be found in sha512-crypt.c.

Open /etc/pam.d/passwd with a text editor and add the rounds option at the end of of the uncommented line. After applying this change the line should look like this:

password	required	pam_unix.so sha512 shadow nullok rounds=65536
Note: For a more detailed explanation of the /etc/pam.d/passwd password options check the PAM man page.

Re-Hash the Passwords

Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.

As root issue the following the command,

# passwd <username>

where <username> is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed using the SHA-2 function.

To verify that your passwords have been re-hashed, check the /etc/shadow file as root. Passwords hashed with SHA-256 should begin with a $5 and passwords hashed with SHA-512 will begin with $6.

Known Problems

fgetty

Arch Linux is using SHA-512 password hashing by default (since 2011-11-26). The very minimal terminal manager fgetty does not support SHA-512 password hashing by default. Enabling SHA-512 with the default fgetty will cause you to be locked out. A patched version of fgetty is in the AUR named fgetty-pamAUR which adds SHA-512 support.