current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 5 down vote favorite
3

on AIX, it would be a simple: 

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

Question: But how can we set the default password algorithm to sha512?

share|improve this question
2  
Note that plain SHA512 and SSHA512 are very bad password hashes. Personally I recommend using bcrypt instead, but if you want something based on SHA512, use SHA512Crypt. –  CodesInChaos 19 hours ago

2 Answers 2

up vote 5 down vote

Setup ENCRYPT_METHOD SHA512 in file /etc/login.defs

Also pay attention to NOTE mentioned in the same file, just above the ENCRYPT_METHOD parameter, which says

Note: It is recommended to use a value consistent with the PAM modules configuration.

So additional modification along with /etc/login.defs is to modify /etc/pam.d/common-password

password [success=2 default=ignore] pam_unix.so obscure sha512

Here, obscure was handled by login.defs but now obsoluted by PAM

share|improve this answer
    
Thanks! But are you sure this works both on SLES and RHEL and DEB-based ones? –  freaking-good-question 20 hours ago
    
It works on ubuntu. Didn't get chance to try on SLES or RHEL. But it should work, IMHO –  SHW 20 hours ago
1  
Works on RedHat @freaking-good-question –  Mat 20 hours ago
    
This only affect group passwords, user passwords is done by pam and subject to pam configuration. –  cuonglm 20 hours ago
    
Not really. Above setting is not only for use password but also for group password. In file /etc/login.defs it is clearly noted that , one must change the ENCRYPT_METHOD value in consistent with pam module configuration. See the edited answer now –  SHW 19 hours ago
up vote 2 down vote

Linux use pam to handle authentication tasks. Setting default password hashing algorithm was done by editing /etc/pam.d/common-password:

password    [success=1 default=ignore]    pam_unix.so obscure sha256

Change to whatever algorithm you wan to use:

password    [success=1 default=ignore]    pam_unix.so obscure sha512

Now, your default password hashing algorithm changed to sha512. You also need to force others user to update their passwords:

chage -d 0 <username>
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.