Difference between revisions of "SHA password hashes"

From ArchWiki
Jump to: navigation, search
m (Final Steps: no need for the exclamation mark)
m (update man page link)
 
(27 intermediate revisions by 15 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
==Benefits of SHA-2 over MD5==
+
[[ja:SHA パスワードハッシュ]]
In Linux distributions login passwords are commonly hashed and stored in the {{Filename|/etc/shadow}} file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.
+
{{Related articles start}}
 +
{{Related|Security#Password hashes}}
 +
{{Related articles end}}
  
The following tutorial uses the ''sha512'' hash function, which has been recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of three additional hash functions with digests that are 224, 256 or 384 bits.
+
The Secure Hash Algorithms (SHA) are a set of [[Wikipedia:Cryptographic_hash_function|hash functions]] often used to encrypt passwords. By default Arch uses  SHA-512 for passwords, but some systems may still be using the older [[Wikipedia:MD5|MD5]] algorithm. This article describes how to increase password security.
  
===Support===
+
== Benefits of SHA-2 over MD5 ==
{{Warning|The very minimal terminal manager ''fgetty'' does not support sha512 password hashing by default. Enabling sha512 with the default ''fgetty'' will cause you to be locked out.}}
 
Arch Linux's default tty manager  ''agetty'' and the minimal tty manager ''mingetty'' both support sha512. Additionally, a [http://aur.archlinux.org/packages.php?ID=50943 patched version] of ''fgetty'' in the [[AUR]] adds sha512 support.
 
  
==Editing the Necessary Files==
+
{{Style|This section should perhaps be pruned and merged with article summary.}}
{{note|You must have root privileges to edit the files within this section.}}
 
===Editing /etc/pam.d/passwd===
 
A default {{Filename|/etc/pam.d/passwd}} should look like the following:
 
#%PAM-1.0
 
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 
#password required pam_unix.so md5 shadow use_authtok
 
password required pam_unix.so md5 shadow nullok
 
Open {{Filename|/etc/pam.d/passwd}} with a text editor and replace {{Codeline|md5}} with {{Codeline|sha512}} on the uncommented line. At the end of of the uncommented line add the {{Codeline|rounds}} option.
 
  
The ''rounds=N'' option helps to improve [[Wikipedia:Key Strengthening|key strengthening]]. The number of rounds has a larger impact on security than the selection of a hash function. For example, ''rounds=65536'' means that an attacker has to compute 65536 hashes for each password he tests against the hash in your {{Filename|/etc/shadow}}. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the ''rounds'' option then glibc will default to 5000 rounds for sha512. Additionally, the default value for the ''rounds'' option can be found in {{Filename|sha512-crypt.c}}.
+
In Linux distributions login passwords are commonly hashed and stored in the {{ic|/etc/shadow}} file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (e.g. SHA-512) is recommended.
  
{{note|For a more detailed explanation of the {{Filename|/etc/pam.d/passwd}} password options check the [http://linux.die.net/man/8/pam_unix pam man page].}}
+
The following tutorial uses the SHA-512 hash function, which has been recommended by the United States' National Security Agency (NSA) for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of four additional hash functions with digests that are 224, 256, 384, and 512 bits.
  
After applying the above changes your {{Filename|/etc/pam.d/passwd}} file should look like this:
+
== Increasing security ==
#%PAM-1.0
 
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 
#password required pam_unix.so md5 shadow use_authtok
 
password required pam_unix.so '''sha512''' shadow nullok '''rounds=65536'''
 
  
===Editing /etc/default/passwd===
+
{{Style|The notes and structure of this section lack focus and clarity.}}
Your default {{Filename|/etc/default/passwd}} file should look like this:
 
# This file contains some information for
 
# the passwd (1) command and other tools
 
# creating or modifying passwords.
 
 
# Define default crypt hash
 
# CRYPT={des,md5,blowfish}
 
CRYPT=des
 
 
# Use another crypt hash for group passwowrds.
 
# This is used by gpasswd, fallback is the CRYPT entry.
 
# GROUP_CRYPT=des
 
 
 
# We can override the default for a special service
 
# by appending the service name (FILES, YP, NISPLUS, LDAP)
 
 
# for local files, use a more secure hash. We
 
# do not need to be portable here:
 
CRYPT_FILES=blowfish
 
# sometimes we need to specify special options for
 
# a hash (variable is prepended by the name of the
 
# crypt hash).
 
BLOWFISH_CRYPT_FILES=5
 
 
# For NIS, we should always use DES:
 
CRYPT_YP=des
 
On line 7 of the above example file, change
 
CRYPT=des
 
to
 
CRYPT=sha512
 
  
{{Note|It is unclear whether this is still necessary with the {{Filename|/etc/shadow}} mechanism.}}
+
{{Note|1=With {{pkg|shadow}} 4.1.4.3-3 ''sha512'' is the default for new passwords (see [https://bugs.archlinux.org/task/13591#comment85993 bug 13591]).}}
  
===Editing {{Filename|/etc/login.defs}}===
+
If your current password was created with {{pkg|shadow}} version prior to 4.1.4.3-3 (2011-11-26) you are using MD5. To start using a SHA-512 hash you just need to change your password with ''passwd''.
  
According to ''passwd'''s man page, this file has to be edited when the {{Filename|/etc/shadow}} mechanism is used for storing passwords. Add the following line to {{Filename|/etc/login.defs}}:
+
{{Note|You must have root privileges to edit this file.}}
  
ENCRYPT_METHOD SHA512
+
The {{ic|1=rounds=N}} option helps to improve [[Wikipedia:Key stretching|key strengthening]]. The number of rounds has a larger impact on security than the selection of a hash function. For example, {{ic|1=rounds=65536}} means that an attacker has to compute 65536 hashes for each password he tests against the hash in your {{ic|/etc/shadow}}. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the {{ic|rounds}} option, then glibc will '''default''' to '''5000''' rounds for SHA-512. Additionally, the default value for the {{ic|rounds}} option can be found in {{ic|sha512-crypt.c}}.
  
==Final Steps==
+
Open {{ic|/etc/pam.d/passwd}} with a text editor and add the {{ic|rounds}} option at the end of of the uncommented line. After applying this change the line should look like this:
Even though you have changed the encryption, your passwords are not automatically rehashed. To fix this, you must reset all user passwords so that they can be rehashed.
 
  
As root issue the following the command,
+
  password required pam_unix.so sha512 shadow nullok '''rounds=65536'''
  # passwd <username>
 
where {{Codeline|<username>}} is the name of the user whose password you are changing. Then re-enter their current password, and it will be rehashed using the SHA-2 function.
 
  
To verify that your passwords have been rehashed, check the {{Filename|/etc/shadow}} file as root. Passwords hashed with ''sha256'' should begin with a '''$5''' and passwords hashed with ''sha512'' will begin with '''$6'''.
+
{{note|For a more detailed explanation of the {{ic|/etc/pam.d/passwd}} password options check the {{man|8|pam_unix}} man page.}}
 +
 
 +
== Re-hash the passwords ==
 +
 
 +
Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.
 +
 
 +
As root issue the following command,
 +
 
 +
# passwd ''username''
 +
 
 +
where {{ic|''username''}} is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed using the SHA-2 function.
 +
 
 +
To verify that your passwords have been re-hashed, check the {{ic|/etc/shadow}} file as root. Passwords hashed with SHA-256 should begin with a {{ic|$5}} and passwords hashed with SHA-512 will begin with {{ic|$6}}.

Latest revision as of 08:43, 10 September 2017

The Secure Hash Algorithms (SHA) are a set of hash functions often used to encrypt passwords. By default Arch uses SHA-512 for passwords, but some systems may still be using the older MD5 algorithm. This article describes how to increase password security.

Benefits of SHA-2 over MD5

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: This section should perhaps be pruned and merged with article summary. (Discuss in Talk:SHA password hashes#)

In Linux distributions login passwords are commonly hashed and stored in the /etc/shadow file using the MD5 algorithm. The security of the MD5 hash function has been severely compromised by collision vulnerabilities. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (e.g. SHA-512) is recommended.

The following tutorial uses the SHA-512 hash function, which has been recommended by the United States' National Security Agency (NSA) for Red Hat Enterprise Linux 5. Alternatively, SHA-2 consists of four additional hash functions with digests that are 224, 256, 384, and 512 bits.

Increasing security

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: The notes and structure of this section lack focus and clarity. (Discuss in Talk:SHA password hashes#)
Note: With shadow 4.1.4.3-3 sha512 is the default for new passwords (see bug 13591).

If your current password was created with shadow version prior to 4.1.4.3-3 (2011-11-26) you are using MD5. To start using a SHA-512 hash you just need to change your password with passwd.

Note: You must have root privileges to edit this file.

The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option, then glibc will default to 5000 rounds for SHA-512. Additionally, the default value for the rounds option can be found in sha512-crypt.c.

Open /etc/pam.d/passwd with a text editor and add the rounds option at the end of of the uncommented line. After applying this change the line should look like this:

password	required	pam_unix.so sha512 shadow nullok rounds=65536
Note: For a more detailed explanation of the /etc/pam.d/passwd password options check the pam_unix(8) man page.

Re-hash the passwords

Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.

As root issue the following command,

# passwd username

where username is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed using the SHA-2 function.

To verify that your passwords have been re-hashed, check the /etc/shadow file as root. Passwords hashed with SHA-256 should begin with a $5 and passwords hashed with SHA-512 will begin with $6.