#2814: Use SHA-512 instead of MD5 for password encrypting
----------------------+-----------------------------------------------------
Reporter: willimm | Owner: lfs-b...@…
Type: task | Status: new
Priority: normal | Milestone: 6.8
Component: Book | Version: SVN
Severity: critical | Keywords: sha-512 shadow md5 is very weak
----------------------+-----------------------------------------------------
See the thread starting with:
http://linuxfromscratch.org/pipermail/lfs-dev/2010-December/064462.html
Short summary: MD5 is known for a while to be cryptographically weak (even
through it's stronger than DES), and the attacks going around dosen't make
me feel comfy with using MD5 for passwords.
The Goverment of the United States recommends that MD5 should be ditched
and replaced with SHA-2. Now, as SHA-2 was added to Glibc in version 2.7,
we could of done this a while ago if the word came out sooner. But, let's
face it, MD5 is weak.
The change is easy: In the Shadow instructions (in both LFS and BLFS),
just simply replace the sed for MD5 with a sed for this:
{{{
sed -i -e 's...@#encrypt_method d...@encrypt_method SHA512@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs
}}}
And that's really it, as the PAM configuration is arleady using SHA-512.
Marking this as critical because, while I'd like to see this done soon,
it's not excatly a deal breaker. Still very important, through.
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/2814>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/lfs/faq.html
Unsubscribe: See the above information page
