How to set default password algorithm to sha512 on Linux

password

on AIX, it would be a simple:

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

Question: But how can we set the default password algorithm to sha512?

UPDATE: I think pwd_algorithm doesn't supports ssha512, but it would be better, yes.. tried it on a Linux Desktop:

[root@notebook ~]# john --test -format=ssha512
Will run 4 OpenMP threads
Benchmarking: SSHA512, LDAP [32/64 OpenSSL]... (4xOMP) DONE
Many salts: 3450K c/s real, 858307 c/s virtual
Only one salt:  2826K c/s real, 713696 c/s virtual
[root@notebook ~]# 

[root@notebook ~]# john --test -format=bcrypt
Will run 4 OpenMP threads
Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X3]... (4xOMP) DONE
Raw:    1800 c/s real, 455 c/s virtual
[root@notebook ~]#

Does this mean ~1800 passwords per second with bcrypt and ~3 000 000 passwords per seconds with ssha512 on this Desktop? Slower is better.

Best Answer

Setup ENCRYPT_METHOD SHA512 in file /etc/login.defs

Also pay attention to NOTE mentioned in the same file, just above the ENCRYPT_METHOD parameter, which says

Note: It is recommended to use a value consistent with the PAM modules configuration.

So additional modification along with /etc/login.defs is to modify /etc/pam.d/common-password

password [success=2 default=ignore] pam_unix.so obscure sha512

Here, obscure was handled by login.defs but now obsoluted by PAM

Related Solutions

security password encryption – How to Create SHA512 Password Hashes on Command Line

Yes, you're looking for mkpasswd, which (at least on Debian) is part of the whois package. Don't ask why...

anthony@Zia:~$ mkpasswd -m help
Available methods:
des     standard 56 bit DES-based crypt(3)
md5     MD5
sha-256 SHA-256
sha-512 SHA-512

Unfortunately, my version at least doesn't do bcrypt. If your C library does, it should (and the manpage gives a -R option to set the strength). -R also works on sha-512, but I'm not sure if its PBKDF-2 or not.

If you need to generate bcrypt passwords, you can do it fairly simply with the Crypt::Eksblowfish::Bcrypt Perl module.

How to tell if the password is set

The best way is with the following command:

passwd --status username

From man passwd:

Display account status information. The status information consists of 7 fields. The first field is the user's login name. The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.

So, if the second output field is NP, then, that user has no password set.

Best Answer

Related Solutions

security password encryption – How to Create SHA512 Password Hashes on Command Line

How to tell if the password is set

Related Question