Cookies and cream
A glance into /etc/pam.d/common-password shows this line:
Given all the talk lately of MD5 and SHA1 being somewhat insecure, I'd rather use something else like SHA512 or Whirlpool (preferably!). How can I safely do this and "upgrade" all my users' passwords to the new hash algorithm? And where the heck are the encrypted passwords stored these days, anyway? /etc/passwd used to be it, but that shows nothing relevant.Code:password requisite pam_unix.so nullok obscure md5
Thanks.
Ubuntu addict and loving it
I think I saw a bug a while ago about SHA1 not being supported in pam. If that is correct, I don't think SHA512 will work either. I could be mistaken, though. I want pam support for the blowfish algorithm.Originally Posted by CaptSaltyJack
edit: Wow, there is support for blowfish!
Passwords are stored in /etc/shadow.Code:sudo apt-get install libpam-unix2
You should be able to change the algorithm in pam, and your old hashes should still work. The passwords would be stored using the old algorithm until you reset them.Code:sudo getent shadow CaptSaltyJack
Last edited by cdenley; September 19th, 2008 at 09:58 PM.
Cookies and cream
But isn't Blowfish 2-way encryption? Isn't it better to use hashing (1-way) for passwords? Whirlpool is my hash of choice, but I doubt PAM supports it.
PS, thanks for the tip on the shadow file.
Ubuntu addict and loving it
I think you might be right. I'm not sure. I'm still playing around with the pam settings seeing what linux can do.
Ubuntu addict and loving it
For getting blowfish to work
http://ubuntuforums.org/showthread.php?t=300208
I always assumed it was very secure because it is used by OpenBSD. I'm not a cryptography expert, though. The poster in that thread seems to think it's better than MD5.
Cookies and cream
I'm no crypto expert either, but Blowfish is absolutely more secure than SHA1 or MD5. The thing is, theoretically, someone could take /etc/shadow and decrypt passwords since Blowfish is 2-way encryption, whereas MD5/SHA1/SHA512/Whirlpool/etc are 1-way encryption. Of course, the likelihood of someone cracking Blowfish encrypted passwords is pretty small.
Still, though, I vote that whoever is behind PAM implements Whirlpool hashing. Whirlpool is the sh*t!
Cookies and cream
PS: Why Whirlpool blows MD5/SHA1 away:
Of course, SHA512 is certainly no laughing matter either.Code:$ php -a Interactive shell php > print md5('my password'); 329670c3265b6ccd392e622733e9772f php > print sha1('my password'); a2f8f7fa195a080a22a689041daa8f2044f9f336 php > print hash('whirlpool', 'my password'); f00fec1f21606d51fdf9358f27f54ef131e1f78c11c639d13e8be402e0137c42634d97edc5a43b0822c3312e3c86703d93f5f15493ef94a70cf3f85615a457a6
Code:php > print hash('sha512', 'my password'); e28bdbf8faa97dab2203fcc89e397a4bf8d4a5b370421e5481a55f317caee4f81be5a810bb1cffc4695c32198717b9a6e835895852ee3a8689d0963463f2db15
Ubuntu addict and loving it
This will help you identify which algorithm you hashes actually use
http://people.redhat.com/drepper/SHA-crypt.txt
Ubuntu addict and loving it
I'm not sure the size of the hash is a direct indicator of the strength, but I'm sure it is a factor. Here is blowfish vs md5PS: Why Whirlpool blows MD5/SHA1 away:
Of course, SHA512 is certainly no laughing matter either.Code:$ php -a Interactive shell php > print md5('my password'); 329670c3265b6ccd392e622733e9772f php > print sha1('my password'); a2f8f7fa195a080a22a689041daa8f2044f9f336 php > print hash('whirlpool', 'my password'); f00fec1f21606d51fdf9358f27f54ef131e1f78c11c639d13e8be402e0137c42634d97edc5a43b0822c3312e3c86703d93f5f15493ef94a70cf3f85615a457a6
Code:php > print hash('sha512', 'my password'); e28bdbf8faa97dab2203fcc89e397a4bf8d4a5b370421e5481a55f317caee4f81be5a810bb1cffc4695c32198717b9a6e835895852ee3a8689d0963463f2db15
blowfish: $2a$05$8lNnqkSq5R8BfMNZLIJxA.pbWvHHvn3y813YWvLrz7m FPYCOYqMA2
md5: $1$jmG9uZUU$j2diNHCtKEC/0KLchlw96.
Cookies and cream
How did you get the $1$ in your MD5 hash? My Linux md5 command won't do it, neither will PHP.
Posting Permissions
Adv Reply
Bookmarks