4.4.2.4.3 Ensure pam_unix includes a strong password hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The SHA-512 algorithm provides a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Note: These changes only apply to the local system.

Solution

Note: This only effects local users and passwords created after updating the files to use sha512 If it is determined that the password algorithm being used is not sha512 once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login.

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Edit the following lines and:

- Add the sha512 argument
- Remove all md5 bigcrypt sha256 and blowfish arguments

auth sufficient pam_unix.so try_first_pass
account required pam_unix.so
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
session required pam_unix.so

See Also

https://workbench.cisecurity.org/benchmarks/15964

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 6d562691d7d17a21759960b6a42bd96daf1ff0d1c9b79c78cd1ee4f00e2f05e7