Difference between revisions of "SHA password hashes"

From ArchWiki
Jump to: navigation, search
m (Final Steps: no need for the exclamation mark)
(Deleted edit login.defs and added info because sha512 is now default)
Line 2: Line 2:
 
==Benefits of SHA-2 over MD5==
 
==Benefits of SHA-2 over MD5==
 
In Linux distributions login passwords are commonly hashed and stored in the {{Filename|/etc/shadow}} file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.
 
In Linux distributions login passwords are commonly hashed and stored in the {{Filename|/etc/shadow}} file using the [[Wikipedia:MD5|MD5 algorithm]]. The security of the MD5 hash function has been severely compromised by [[Wikipedia:MD5#Collision_vulnerabilities|collision vulnerabilities]]. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.
 +
 +
{{Note|With shadow 4.1.4.3-3 '''sha512''' is default for new passwords. For more see [https://bugs.archlinux.org/task/13591#comment85993 here] and [http://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/shadow&id=98001501a8306ef5a0df55d1cffc048851894940 here].}}
  
 
The following tutorial uses the ''sha512'' hash function, which has been  recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of three additional hash functions with digests that are 224, 256 or 384 bits.
 
The following tutorial uses the ''sha512'' hash function, which has been  recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, [[Wikipedia:SHA-2|SHA-2]] consists of three additional hash functions with digests that are 224, 256 or 384 bits.
Line 64: Line 66:
 
{{Note|It is unclear whether this is still necessary with the {{Filename|/etc/shadow}} mechanism.}}
 
{{Note|It is unclear whether this is still necessary with the {{Filename|/etc/shadow}} mechanism.}}
  
===Editing {{Filename|/etc/login.defs}}===
+
{{Note|It is not necessary to edit /etc/login.defs. For more see [https://bugs.archlinux.org/task/13591#comment85993 here].}}
 
+
According to ''passwd'''s man page, this file has to be edited when the {{Filename|/etc/shadow}} mechanism is used for storing passwords. Add the following line to {{Filename|/etc/login.defs}}:
+
 
+
ENCRYPT_METHOD SHA512
+
  
 
==Final Steps==
 
==Final Steps==

Revision as of 14:09, 26 November 2011

Benefits of SHA-2 over MD5

In Linux distributions login passwords are commonly hashed and stored in the Template:Filename file using the MD5 algorithm. The security of the MD5 hash function has been severely compromised by collision vulnerabilities. This does not mean MD5 is insecure for password hashing but in the interest of decreasing vulnerabilities a more secure and robust algorithm that has no known weaknesses (i.e. SHA) is recommended.

Note:
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

The following tutorial uses the sha512 hash function, which has been recommended by the NSA for Red Hat Enterprise Linux 5. Alternatively, SHA-2 consists of three additional hash functions with digests that are 224, 256 or 384 bits.

Support

Warning: The very minimal terminal manager fgetty does not support sha512 password hashing by default. Enabling sha512 with the default fgetty will cause you to be locked out.

Arch Linux's default tty manager agetty and the minimal tty manager mingetty both support sha512. Additionally, a patched version of fgetty in the AUR adds sha512 support.

Editing the Necessary Files

Note: You must have root privileges to edit the files within this section.

Editing /etc/pam.d/passwd

A default Template:Filename should look like the following:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so md5 shadow nullok

Open Template:Filename with a text editor and replace Template:Codeline with Template:Codeline on the uncommented line. At the end of of the uncommented line add the Template:Codeline option.

The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your Template:Filename. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option then glibc will default to 5000 rounds for sha512. Additionally, the default value for the rounds option can be found in Template:Filename.

Note: For a more detailed explanation of the Template:Filename password options check the pam man page.

After applying the above changes your Template:Filename file should look like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok rounds=65536

Editing /etc/default/passwd

Your default Template:Filename file should look like this:

# This file contains some information for
# the passwd (1) command and other tools 
# creating or modifying passwords.

# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des

# Use another crypt hash for group passwowrds.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# do not need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=5

# For NIS, we should always use DES:
CRYPT_YP=des

On line 7 of the above example file, change

CRYPT=des

to

CRYPT=sha512
Note: It is unclear whether this is still necessary with the Template:Filename mechanism.
Note: It is not necessary to edit /etc/login.defs. For more see here.

Final Steps

Even though you have changed the encryption, your passwords are not automatically rehashed. To fix this, you must reset all user passwords so that they can be rehashed.

As root issue the following the command,

# passwd <username>

where Template:Codeline is the name of the user whose password you are changing. Then re-enter their current password, and it will be rehashed using the SHA-2 function.

To verify that your passwords have been rehashed, check the Template:Filename file as root. Passwords hashed with sha256 should begin with a $5 and passwords hashed with sha512 will begin with $6.