5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The pam_unix module can be configured to use one of the following hashing algorithms for user's passwords:

- md5 - When a user changes their password next, encrypt it with the MD5 algorithm.
- bigcrypt - When a user changes their password next, encrypt it with the DEC C2 algorithm.
- sha256 - When a user changes their password next, encrypt it with the SHA256 algorithm. The SHA256 algorithm must be supported by the crypt(3) function.
- sha512 - When a user changes their password next, encrypt it with the SHA512 algorithm. The SHA512 algorithm must be supported by the crypt(3) function.
- blowfish - When a user changes their password next, encrypt it with the blowfish algorithm. The blowfish algorithm must be supported by the crypt(3) function.
- gost_yescrypt - When a user changes their password next, encrypt it with the gost-yescrypt algorithm. The gost-yescrypt algorithm must be supported by the crypt(3) function.
- yescrypt - When a user changes their password next, encrypt it with the yescrypt algorithm. The yescrypt algorithm must be supported by the crypt(3) function.

The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Note: These changes only apply to the local system.

Solution

Run the following command:

# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_unix.so/) print FILENAME}' /usr/share/pam-configs/*

Edit any returned files and edit or add a strong hashing algorithm, either sha512 or yescrypt, that meets local site policy to the pam_unix lines in the Password section:

Example File:

Name: Unix authentication
Default: yes
Priority: 256
Auth-Type: Primary # <- Start of "Auth" section
Auth:
[success=end default=ignore] pam_unix.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_unix.so
Account-Type: Primary # <- Start of "Account" section
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional # <- Start of "Session" section
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary # <- Start of "Password" section
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt # <- **ensure hashing algorithm is either sha512 or yescrypt**
Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt # <- **ensure hashing algorithm is either sha512 or yescrypt**

Run the following command to update the files in the /etc/pam.d/ directory:

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example:

# pam-auth-update --enable unix

See Also

https://workbench.cisecurity.org/benchmarks/17074

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 0d128904a6ad2bca7b902c56a5a41f98df49873fad44b697c41234b52bb437e4