Bug 439805

Summary: RHEL4.7 Release Notes: Password Hashing using SHA-256/SHA-512
Product: Red Hat Enterprise Linux 4 Reporter: Miloslav Trmač <mitr>
Component: redhat-releaseAssignee: Ryan Lerch <rlerch>
Status: CLOSED CURRENTRELEASE QA Contact: Content Services Development <ecs-dev-list>
Severity: low Docs Contact:
Priority: low    
Version: 4.7CC: ddomingo
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 4.7 Release Notes Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-28 00:03:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 228697, 427384, 427394, 427397, 427448, 427800    
Bug Blocks: 391231    

Description Miloslav Trmač 2008-03-31 14:55:29 UTC
(`...` stands for the appropriate markup)

Password hashing using the SHA-256 and SHA-512 hash functions is now supported.

To switch to SHA-256 or SHA-512 on an installed system, run `authconfig
--passalgo=sha256 --kickstart` or `authconfig --passalgo=sha512 --kickstart`.
Existing user accounts will not be affected until their passwords are changed.

For newly installed systems, using SHA-256 or SHA-512 can be configured only
for kickstart installations. To do so, use the `--passalgo=sha256` or
`--passalgo=sha512` options of the kickstart command `auth`; also, remove the
`--enablemd5` option if present.

If your installation does not use kickstart, use `authconfig` as described
above, then change all passwords (including `root`) created after installation.

Appropriate options were also added to `libuser`, `pam`, and `shadow-utils` to
support these password hashing algorithms.  `authconfig` configures necessary
options automatically, so it is usually not necessary to modify them manually.

* New values of the `crypt_style` option and new options for both
  `hash_rounds_min` and `hash_rounds_max` are now supported in the `[defaults]`
  section of `/etc/libuser.conf`. For more information, refer to
  `/usr/share/doc/libuser-[libuser version]/README.sha`.

* New options `sha256`, `sha512`, and `rounds` are now supported by the
  `pam_unix` PAM module. For more information, refer to
  `/usr/share/doc/pam-[pam version]/txts/README.pam_unix`.

* The following new options in `/etc/login.defs` are now supported by
  `shadow-utils`:

   o `ENCRYPT_METHOD` — Specifies the encryption methos to be used.  Valid
     values are `DES`, `MD5`, `SHA256`, `SHA512`. If this option is defined,
     `MD5_CRYPT_ENAB` is ignored.

   o `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` — Specifies the number
      of hashing rounds to use if `ENCRYPT_METHOD` is set to `SHA256` or
      `SHA512`. If neither option is set, a default value is chosen by
      `glibc`. If only one option is set, the encryption method specifies the
      number of rounds.

      If both options are used, they specify an inclusive interval from which
      the number of rounds is chosen randomly. The selected number of rounds is
      limited to the inclusive interval [1000, 999999999].

Comment 1 Don Domingo 2008-03-31 22:48:30 UTC
Miloslav, this is the exact same release note that appears in the RHEL5.2
release notes, right? 

Comment 2 Miloslav Trmač 2008-03-31 23:29:20 UTC
No.
* authconfig uses --kickstart instead of --update
* authconfig GUI does not support changing the hash
* libuser.conf man page does not exist
Perhaps there are other changes I cannot remember.

Comment 3 Don Domingo 2008-03-31 23:39:43 UTC
noted. release note added to RHEL4.7 under "Feature Updates". thanks!

Comment 4 Don Domingo 2008-06-02 23:15:29 UTC
Hi,

the RHEL4.7 release notes deadline is on June 17, 2008 (Tuesday). they will
undergo a final proofread before being dropped to translation, at which point no
further additions or revisions will be entertained.

a mockup of the RHEL4.7 release notes can be viewed here:
http://intranet.corp.redhat.com/ic/intranet/RHEL4u7relnotesmockup.html

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Cheers,
Don

Comment 5 Miloslav Trmač 2008-06-02 23:24:25 UTC
Please change both occurrences of "--update" in the release note to "--kickstart".

"--update" is not supported in RHEL4.

Comment 6 Don Domingo 2008-06-02 23:51:13 UTC
thanks Miloslav. release notes revised (updated on mockup link as well)