[SOLVED] Making PAM use SHA512 instead of MD5

**CaptSaltyJack** · September 19th, 2008

A glance into /etc/pam.d/common-password shows this line:

Code:

password   requisite   pam_unix.so nullok obscure md5

Given all the talk lately of MD5 and SHA1 being somewhat insecure, I'd rather use something else like SHA512 or Whirlpool (preferably!). How can I safely do this and "upgrade" all my users' passwords to the new hash algorithm? And where the heck are the encrypted passwords stored these days, anyway? /etc/passwd used to be it, but that shows nothing relevant.

Thanks.

**cdenley** · September 19th, 2008

Originally Posted by CaptSaltyJack

A glance into /etc/pam.d/common-password shows this line:

Code:

password   requisite   pam_unix.so nullok obscure md5

Given all the talk lately of MD5 and SHA1 being somewhat insecure, I'd rather use something else like SHA512 or Whirlpool (preferably!). How can I safely do this and "upgrade" all my users' passwords to the new hash algorithm? And where the heck are the encrypted passwords stored these days, anyway? /etc/passwd used to be it, but that shows nothing relevant.

Thanks.

I think I saw a bug a while ago about SHA1 not being supported in pam. If that is correct, I don't think SHA512 will work either. I could be mistaken, though. I want pam support for the blowfish algorithm.

edit: Wow, there is support for blowfish!

Code:

sudo apt-get install libpam-unix2

Passwords are stored in /etc/shadow.

Code:

sudo getent shadow CaptSaltyJack

You should be able to change the algorithm in pam, and your old hashes should still work. The passwords would be stored using the old algorithm until you reset them.

**CaptSaltyJack** · September 19th, 2008

But isn't Blowfish 2-way encryption? Isn't it better to use hashing (1-way) for passwords? Whirlpool is my hash of choice, but I doubt PAM supports it.

PS, thanks for the tip on the shadow file.

**cdenley** · September 19th, 2008

Originally Posted by CaptSaltyJack

But isn't Blowfish 2-way encryption? Isn't it better to use hashing (1-way) for passwords? Whirlpool is my hash of choice, but I doubt PAM supports it.

PS, thanks for the tip on the shadow file.

I think you might be right. I'm not sure. I'm still playing around with the pam settings seeing what linux can do.

**cdenley** · September 19th, 2008

For getting blowfish to work
http://ubuntuforums.org/showthread.php?t=300208
I always assumed it was very secure because it is used by OpenBSD. I'm not a cryptography expert, though. The poster in that thread seems to think it's better than MD5.

**CaptSaltyJack** · September 19th, 2008

I'm no crypto expert either, but Blowfish is absolutely more secure than SHA1 or MD5. The thing is, theoretically, someone could take /etc/shadow and decrypt passwords since Blowfish is 2-way encryption, whereas MD5/SHA1/SHA512/Whirlpool/etc are 1-way encryption. Of course, the likelihood of someone cracking Blowfish encrypted passwords is pretty small.

Still, though, I vote that whoever is behind PAM implements Whirlpool hashing. Whirlpool is the sh*t!