Update password hashing algorithm for Linux / Unix

"Warranty void if this seal is broken", that's a common line on any newly purchased electronic device. So if you open the device, its detected. Similar concept applies to world of "Passwords" on a computer. The characters of the plain text password are mixed in using different algorithms to create a hash which is kind of a signature for a stream of data. Another way to explain this according to wikipedia is, "A hash function is an algorithm that transforms (hashes) an arbitrary set of data elements into a single fixed length value (the hash)". So if the original password is "whoami8996" its hash value (using md5sum command on UNIX) is something like "5265638efece6f38bbdc858a5c396fb0", but if I change even one character from the password , its hash will change. These hashing algorithms are designed in such a way that no two different strings will have the same hash value. On Linux/UNIX operating systems you can look at a user's password hash in the /etc/passwd or /etc/shadow file.

This is how a user's account looks like in /etc/passwd file:


Every field is separated by a colon " : " and the second field is the hash value of the user's password. Note: An x character instead of the hash indicates that encrypted password is stored in /etc/shadow file. One good thing about the hash is, its of same length for passwords of different lengths ( using the same algorithm to create a hashed value) . In above case MD5 algorithm is used to create the hash. How did I know that ??? Lets try to analyze the hash- $1$Lq1yUo3c$GF7n.Lwjc0YVhHaYvnawQ1.

Every hash has a unique identifier string, like $1$ at the start of the hash in above case indicates that the hash was created using MD5 algorithm. Below table provides the list of algorithms and their identifier strings :

Alogrithm usedHashed value starts with
Blowfish$2$, $2a$, $2x$ or $2y$
NT Hash$3$
SHA2 (256 or 384 bits)$5$
SHA2 (512 bits)$6$

In the above table, algorithms are listed in the order starting with weakest (prone to attack or more vulnerable to compromise) to strongest ( no known attacks or require very long time to attack/compromise using methods like brute force ). Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password. So how do you update the hashing algorithm used ?

Detect hashing algorithm used :
#authconfig --test | grep hashing
Sample output: password hashing algorithm is md5
Another way to detect:
egrep "password .* pam_unix.so" /etc/pam.d/system-auth-ac | egrep "sha256" | egrep -v "^[ ]*#"
The above command needs to be altered according the linux distribution used. Below are some files to look for:
/etc/pam.d/common-password (Debian)
/etc/default/password OR /etc/default/passwd (SUSE/Novell)
/etc/pam.d/system-auth-ac (Red Hat Enterprise Linux - RHEL)
/etc/security/policy.conf (Oracle Solaris)
/etc/security/login.cfg (IBM AIX)
Update the hashing algorithm (RHEL only, for others try editing the files above):
#authconfig --passalgo=sha512 --update
The above update will be applicable only for those users who will change their passwords post the setting update. Existing users who have not changed their password, will still continue to use the previously set hashing algorithm. However we can enforce the users to change their passwords on next login by setting the password expiry age to 0 days for a required user.
Force user to change password:
#chage -d 0 user-name
#passwd -f user-name


Post a Comment