Opened 13 years ago
Closed 13 years ago
#2814 closed task (fixed)
Use SHA-512 instead of MD5 for password encrypting
| Reported by: | willimm | Owned by: | Matthew Burgess |
|---|---|---|---|
| Priority: | normal | Milestone: | 6.8 |
| Component: | Book | Version: | SVN |
| Severity: | critical | Keywords: | sha-512 shadow md5 is very weak |
| Cc: |
Description
See the thread starting with:
http://linuxfromscratch.org/pipermail/lfs-dev/2010-December/064462.html
Short summary: MD5 is known for a while to be cryptographically weak (even through it's stronger than DES), and the attacks going around dosen't make me feel comfy with using MD5 for passwords.
The Goverment of the United States recommends that MD5 should be ditched and replaced with SHA-2. Now, as SHA-2 was added to Glibc in version 2.7, we could of done this a while ago if the word came out sooner. But, let's face it, MD5 is weak.
The change is easy: In the Shadow instructions (in both LFS and BLFS), just simply replace the sed for MD5 with a sed for this:
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs
And that's really it, as the PAM configuration is arleady using SHA-512.
Marking this as critical because, while I'd like to see this done soon, it's not excatly a deal breaker. Still very important, through.
Change History (2)
comment:1 by , 13 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in r9447.