|Summary:||RHEL4.7 Release Notes: Password Hashing using SHA-256/SHA-512|
|Product:||Red Hat Enterprise Linux 4||Reporter:||Miloslav Trmač <mitr>|
|Component:||redhat-release||Assignee:||Ryan Lerch <rlerch>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Content Services Development <ecs-dev-list>|
|Fixed In Version:||4.7 Release Notes||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-08-28 00:03:14 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||228697, 427384, 427394, 427397, 427448, 427800|
Description Miloslav Trmač 2008-03-31 14:55:29 UTC
(`...` stands for the appropriate markup) Password hashing using the SHA-256 and SHA-512 hash functions is now supported. To switch to SHA-256 or SHA-512 on an installed system, run `authconfig --passalgo=sha256 --kickstart` or `authconfig --passalgo=sha512 --kickstart`. Existing user accounts will not be affected until their passwords are changed. For newly installed systems, using SHA-256 or SHA-512 can be configured only for kickstart installations. To do so, use the `--passalgo=sha256` or `--passalgo=sha512` options of the kickstart command `auth`; also, remove the `--enablemd5` option if present. If your installation does not use kickstart, use `authconfig` as described above, then change all passwords (including `root`) created after installation. Appropriate options were also added to `libuser`, `pam`, and `shadow-utils` to support these password hashing algorithms. `authconfig` configures necessary options automatically, so it is usually not necessary to modify them manually. * New values of the `crypt_style` option and new options for both `hash_rounds_min` and `hash_rounds_max` are now supported in the `[defaults]` section of `/etc/libuser.conf`. For more information, refer to `/usr/share/doc/libuser-[libuser version]/README.sha`. * New options `sha256`, `sha512`, and `rounds` are now supported by the `pam_unix` PAM module. For more information, refer to `/usr/share/doc/pam-[pam version]/txts/README.pam_unix`. * The following new options in `/etc/login.defs` are now supported by `shadow-utils`: o `ENCRYPT_METHOD` — Specifies the encryption methos to be used. Valid values are `DES`, `MD5`, `SHA256`, `SHA512`. If this option is defined, `MD5_CRYPT_ENAB` is ignored. o `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` — Specifies the number of hashing rounds to use if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`. If neither option is set, a default value is chosen by `glibc`. If only one option is set, the encryption method specifies the number of rounds. If both options are used, they specify an inclusive interval from which the number of rounds is chosen randomly. The selected number of rounds is limited to the inclusive interval [1000, 999999999].
Comment 1 Don Domingo 2008-03-31 22:48:30 UTC
Miloslav, this is the exact same release note that appears in the RHEL5.2 release notes, right?
Comment 2 Miloslav Trmač 2008-03-31 23:29:20 UTC
No. * authconfig uses --kickstart instead of --update * authconfig GUI does not support changing the hash * libuser.conf man page does not exist Perhaps there are other changes I cannot remember.
Comment 3 Don Domingo 2008-03-31 23:39:43 UTC
noted. release note added to RHEL4.7 under "Feature Updates". thanks!
Comment 4 Don Domingo 2008-06-02 23:15:29 UTC
Hi, the RHEL4.7 release notes deadline is on June 17, 2008 (Tuesday). they will undergo a final proofread before being dropped to translation, at which point no further additions or revisions will be entertained. a mockup of the RHEL4.7 release notes can be viewed here: http://intranet.corp.redhat.com/ic/intranet/RHEL4u7relnotesmockup.html please use the aforementioned link to verify if your bugzilla is already in the release notes (if it needs to be). each item in the release notes contains a link to its original bug; as such, you can search through the release notes by bug number. Cheers, Don
Comment 5 Miloslav Trmač 2008-06-02 23:24:25 UTC
Please change both occurrences of "--update" in the release note to "--kickstart". "--update" is not supported in RHEL4.
Comment 6 Don Domingo 2008-06-02 23:51:13 UTC
thanks Miloslav. release notes revised (updated on mockup link as well)