4.4.3.4.3 Ensure pam_unix includes a strong password hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Note: These changes only apply to the local system.

Solution

Note:

- If yescrypt becomes available in a future release, this would also be acceptable. It is highly recommended that the chosen hashing algorithm is consistent across /etc/libuser.conf /etc/login.defs /etc/pam.d/password-auth and /etc/pam.d/system-auth
- This only effects local users and passwords created after updating the files to use sha512 or yescrypt If it is determined that the password algorithm being used is not sha512 or yescrypt once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login.

Run the following script to verify the active authselect profile includes a strong password hashing algorithm on the password stack's pam_unix.so module lines:

#!/usr/bin/env bash

{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
grep -P -- '^h*passwordh+(requisite|required|sufficient)h+pam_unix.soh+([^#
r]+h+)?(sha512|yescrypt)b' "$l_pam_profile_path"/{password,system}-auth
}

Example output:

/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

- IF - the output does not include either sha512 - OR - yescrypt or includes a different hashing algorithm, run the following script:

#!/usr/bin/env bash

{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
if grep -Pq '^h*passwordh+()h+pam_unix.soh+([^#
r]+h+)?(sha512|yescrypt)b' "$l_authselect_file"; then
echo "- A strong password hashing algorithm is correctly set"
elif grep -Pq '^h*passwordh+()h+pam_unix.soh+([^#
r]+h+)?(md5|bigcrypt|sha256|blowfish)b' "$l_authselect_file"; then
echo "- A weak password hashing algorithm is set, updating to \"sha512\""
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_unix.sos+.*)(md5|bigcrypt|sha256|blowfish)(s*.*)$/14 sha512/g' "$l_authselect_file"
else
echo "No password hashing algorithm is set, updating to \"sha512\""
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_unix.sos+.*)$/&amp; sha512/g' "$l_authselect_file"
fi
done
}

Run the following command to update the password-auth and system-auth files in /etc/pam.d to include pam_unix.so with a strong password hashing algorithm argument:

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 3c7e6bfba3b29d704a73906e6a2e6aa1a1a255e61820e900cec2f6382351a0da