7

on AIX, it would be a simple: 

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

Question: But how can we set the default password algorithm to sha512?

UPDATE: I think pwd_algorithm doesn't supports ssha512, but it would be better, yes.. tried it on a Linux Desktop: 

[root@notebook ~]# john --test -format=ssha512
Will run 4 OpenMP threads
Benchmarking: SSHA512, LDAP [32/64 OpenSSL]... (4xOMP) DONE
Many salts: 3450K c/s real, 858307 c/s virtual
Only one salt:  2826K c/s real, 713696 c/s virtual
[root@notebook ~]# 

[root@notebook ~]# john --test -format=bcrypt
Will run 4 OpenMP threads
Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X3]... (4xOMP) DONE
Raw:    1800 c/s real, 455 c/s virtual
[root@notebook ~]#

Does this mean ~1800 passwords per second with bcrypt and ~3 000 000 passwords per seconds with ssha512 on this Desktop? Slower is better.

Improve this question
2
  • 3
    Note that plain SHA512 and SSHA512 are very bad password hashes. Personally I recommend using bcrypt instead, but if you want something based on SHA512, use SHA512Crypt. Commented Apr 14, 2015 at 8:28
  • Also as an addition for suse users suse.com/support/kb/doc/?id=000019248 Commented Jun 29, 2020 at 19:51

2 Answers 2

Reset to default
11

Setup ENCRYPT_METHOD SHA512 in file /etc/login.defs

Also pay attention to NOTE mentioned in the same file, just above the ENCRYPT_METHOD parameter, which says

Note: It is recommended to use a value consistent with the PAM modules configuration.

So additional modification along with /etc/login.defs is to modify /etc/pam.d/common-password

password [success=2 default=ignore] pam_unix.so obscure sha512

Here, obscure was handled by login.defs but now obsoluted by PAM

Improve this answer
8
  • Thanks! But are you sure this works both on SLES and RHEL and DEB-based ones? Commented Apr 14, 2015 at 7:23
  • It works on ubuntu. Didn't get chance to try on SLES or RHEL. But it should work, IMHO Commented Apr 14, 2015 at 7:24
  • 1
    Works on RedHat @freaking-good-question Commented Apr 14, 2015 at 7:31
  • This only affect group passwords, user passwords is done by pam and subject to pam configuration. Commented Apr 14, 2015 at 7:54
  • Not really. Above setting is not only for use password but also for group password. In file /etc/login.defs it is clearly noted that , one must change the ENCRYPT_METHOD value in consistent with pam module configuration. See the edited answer now Commented Apr 14, 2015 at 8:46
5

Linux use pam to handle authentication tasks. Setting default password hashing algorithm was done by editing /etc/pam.d/common-password:

password    [success=1 default=ignore]    pam_unix.so obscure sha256

Change to whatever algorithm you wan to use:

password    [success=1 default=ignore]    pam_unix.so obscure sha512

Now, your default password hashing algorithm changed to sha512. You also need to force others user to update their passwords:

chage -d 0 <username>
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.