In our organization, we are distributing pre-hashed password values for a number of local accounts. Currently, these accounts' passwords are hashed using Blowfish ($2a$[...]) or Blowfish-8-bit ($2y$[...]). Other distros we are using are capable of handling this, but RedHat / CentOS seems to deliberately be lacking support for Blowfish in glibc as it is.
Is there any way to make CentOS/RedHat systems handle Blowfish hashes without profoundly breaking its serviceability through the standard update channels?
I am deploying CentOS 7.2 with a simplistic kickstart configuration and a minimal package selection:
%packages --nobase --ignoremissing
@core
kexec-tools
%end
Best Answer
After Ulrich Schwarz mentioned a custom PAM module in the comments to the question, I figured I could go and see what SLES, which makes Blowfish the default, is using.
Turns out it is a separate module called
pam_unix2.sonot conflicting with anything on the CentOS system. As a proof-of-concept, I have copied/lib64/security/pam_unix2.sooff a SLES 11 SP4 system to/usr/lib64/security/pam_unix2.soon the CentOS host and downloaded and installed its dependency libxcrypt which again is a SuSE package, but works on CentOS 7 for this narrow purpose.Adding
to
/etc/pam.d/system-authallows me to authenticate against a Blowfish-crypted password on the console.To make sure
authconfigwill not break the configuration on the next invocation, the symlink/etc/pam.d/system-authpointing to/etc/pam.d/system-auth-acshould be replaced with a copy of/etc/pam.d/system-auth-ac.Bottom line: SuSE's pam_unix2 module seems like the least invasive method to get Blowfish hashes accepted, although it also means that I would need to monitor security announcements for pam_unix2 and libxcrypt separately.