change to default password hashing in PAM
Kees Cook
kees at ubuntu.com
Wed Aug 27 02:27:13 BST 2008
Hi James,
On Wed, Aug 27, 2008 at 01:50:56AM +0100, James Westby wrote:
> On Tue, 2008-08-26 at 16:16 -0700, Kees Cook wrote:
> > In the interest of staying ahead of modern cryptanalysis, Intrepid's PAM
> > (1.0.1-3ubuntu5) now stores new passwords with salted SHA512, rather
> > than the prior salted MD5 method. Earlier password hashing schemes are
> > still supported as before (DES, MD5).
>
> Thanks for doing this, it seems like a good change.
>
> If we wish to use SHA512 with an existing account is simply changing
> the password once the new version is installed sufficient?
Yup, that'll trigger it. :)
You can see the result in /etc/shadow, or you can double-check that PAM
is set up with it if you see "sha512" in /etc/pam.d/common-password:
password requisite pam_unix.so obscure sha512
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list