Information
A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.
The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.
Note: These changes only apply to accounts configured on the local system.
Solution
Set password hashing algorithm to sha512.
Edit /etc/libuser.conf and edit of add the following line:
crypt_style = sha512
Edit /etc/login.defs and edit or add the following line:
ENCRYPT_METHOD SHA512
-OR-
ENCRYPT_METHOD YESCRYPT
Run the following script to configure pam_unix.so to use the sha512 hashing algorithm:
#!/usr/bin/env bash
{
for fn in system-auth password-auth; do
file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn"
if ! grep -Pq -- '^h*passwordh+(requisite|required|sufficient)h+pam_unix.so(h+[^#
r]+)?h+sha512b.*$' "$file"; then
if grep -Pq -- '^h*passwordh+(requisite|required|sufficient)h+pam_unix.so(h+[^#
r]+)?h+(md5|blowfish|bigcrypt|sha256|yescrypt)b.*$' "$file"; then
sed -ri 's/(md5|blowfish|bigcrypt|sha256|yescrypt)/sha512/' "$file"
else
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_unix.sos+)(.*)$/1sha512 3/' "$file"
fi
fi
done
authselect apply-changes
}
Note: This only effects local users and passwords created after updating the files to use sha512 If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login.