Bug 700185

Summary: Default action of pam_unix.so
Product: [Fedora] Fedora Reporter: Mike <MikeDawg>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-30 09:57:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mike 2011-04-27 17:18:49 UTC 
Description of problem:

The "default" action of the pam_unix.so module, when used in the password group, is to encrypt the password with the old DES encryption.

Like most pam modules, this is easily modified using additional options after using the module, and there are secure options available.

I am putting the idea out there, that the "default" option, or the option when no additional flags are passed to the pam_unix.so module, that it defaults to something more secure than DES encryption.


Version-Release number of selected component (if applicable):

5.8

How reproducible:

Can reproduce every time

Steps to Reproduce:
1. In any of the pam.d files, if the option is set:

password   required  pam_unix.so

  
Actual results:

Password is encrypted using DES

Expected results:

Password should be encrypted with a more secure algorithm such as SHA[256|512], or even md5 may be acceptable.

Additional info:
Comment 1 Tomas Mraz 2011-04-27 21:22:36 UTC 
This default cannot be changed in an already released Red Hat Enterprise Linux release. This should be requested as a feature for future Fedora Linux release so it can be included in a future Red Hat Enterprise Linux release.
Comment 2 Mike 2011-04-29 23:35:49 UTC 
I think the administrator or operator of the system should have to specify to actually downgrade the security to DES, rather than accidentally delete the flags, and lose a fair amount of security based on the default action of pam_unix.so
Comment 3 Tomas Mraz 2011-05-02 07:34:00 UTC 
I agree with you that the default should be changed, but it cannot be changed for already released Red Hat Enterprise Linux releases.
Comment 4 Tomas Mraz 2018-12-20 15:20:32 UTC 
This is going to be implemented for Fedora 30 with the switch to libxcrypt use.
Comment 5 Iker Pedrosa 2020-04-30 09:57:13 UTC 
This has already been fixed and it's included at least in Fedora 31 and 32. There's a directive in login.defs file called ENCRYPT_METHOD that allows to change the default encryption method to a more secure one.  In the aforementioned versions ENCRYPT_METHOD is set to SHA512 by default.