Opened 14 years ago

Closed 14 years ago

#2814 closed task (fixed)

Use SHA-512 instead of MD5 for password encrypting

Reported by: willimm Owned by: Matthew Burgess
Priority: normal Milestone: 6.8
Component: Book Version: SVN
Severity: critical Keywords: sha-512 shadow md5 is very weak
Cc:

Description

See the thread starting with:

http://linuxfromscratch.org/pipermail/lfs-dev/2010-December/064462.html

Short summary: MD5 is known for a while to be cryptographically weak (even through it's stronger than DES), and the attacks going around dosen't make me feel comfy with using MD5 for passwords.

The Goverment of the United States recommends that MD5 should be ditched and replaced with SHA-2. Now, as SHA-2 was added to Glibc in version 2.7, we could of done this a while ago if the word came out sooner. But, let's face it, MD5 is weak.

The change is easy: In the Shadow instructions (in both LFS and BLFS), just simply replace the sed for MD5 with a sed for this:

sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
        -e 's@/var/spool/mail@/var/mail@' etc/login.defs

And that's really it, as the PAM configuration is arleady using SHA-512.

Marking this as critical because, while I'd like to see this done soon, it's not excatly a deal breaker. Still very important, through.

Change History (2)

comment:1 by Matthew Burgess, 14 years ago

Owner: changed from lfs-book@… to Matthew Burgess
Status: newassigned

comment:2 by Matthew Burgess, 14 years ago

Resolution: fixed
Status: assignedclosed

Fixed in r9447.

Note: See TracTickets for help on using tickets.