(`...` stands for using the appropriate markup) Password hashing using the SHA-256 and SHA-512 hash functions is now supported. To switch to SHA-256 or SHA-512 on an installed system, use `authconfig --passalgo=sha256 --update` or `authconfig --passalgo=sha512 --update`. You can also configure the hashing method in a GUI using `authconfig-gtk`. Existing user accounts won't be affected until their passwords are changed. For newly installed systems, using SHA-256 or SHA-512 can be configured only for kickstart installations, by using the `--passalgo=sha256` or `--passalgo=sha512` options (and removing the `--enablemd5` option, if present) of the kickstart command `auth`. If your installation does not use kickstart, use `authconfig` as described above, then change the `root` password and passwords of any other users created after installation. New options were added to `libuser`, `pam` and `shadow-utils` to support these password hashing algorithms. `authconfig` configures all these options automatically, so it is usually not necessary to modify them manually. * New values of the `crypt_style` option and new options `hash_rounds_min` and `hash_rounds_max` are now supported in the `[defaults]` section of `/etc/libuser.conf`. See `libuser.conf(5)` for more details. * New options `sha256`, `sha512` and `rounds` are now supported by the `pam_unix` PAM module. See `/usr/share/doc/pam-*/txts/README.pam_unix` for more details. * The following new options in `/etc/login.defs` are now supported by `shadow-utils`: - `ENCRYPT_METHOD`: One of `DES`, `MD5`, `SHA256`, `SHA512`. If this option is defined, `MD5_CRYPT_ENAB` is ignored. - `SHA_CRYPT_MIN_ROUNDS`, `SHA_CRYPT_MAX_ROUNDS`: Specify the number of hashing rounds to use if `ENCRYPT_METHOD` is `SHA256` or `SHA512`. If neither option is present, a default value is chosen by `glibc`. If only one option is present, it specifies the number of rounds. If both options are present, they specify an inclusive interval from which the number of rounds is chosen randomly. The selected number of rounds is limited to the inclusive interval [1000, 999999999].
thanks Miloslav! minor edits as follows: <quote> SHA-256 and SHA-512 Hash Functions Password hashing using the SHA-256 and SHA-512 hash functions is now supported. To switch to SHA-256 or SHA-512 on an installed system, run authconfig --passalgo=sha256 --update or authconfig --passalgo=sha512 --update. To configure the hashing method through a GUI, use authconfig-gtk. Existing user accounts will not be affected until their passwords are changed. For newly installed systems, using SHA-256 or SHA-512 can be configured only for kickstart installations. To do so, use the --passalgo=sha256 or --passalgo=sha512 options of the kickstart command auth; also, remove the --enablemd5 option if present. If your installation does not use kickstart, use authconfig as described above, then change all passwords (including root) created after installation. Appropriate options were also added to libuser, pam, and shadow-utils to support these password hashing algorithms. authconfig configures necessary options automatically, so it is usually not necessary to modify them manually. The following updates were also applied to support SHA-256 and SHA-512 hash functions: * New values of the crypt_style option and new options for both hash_rounds_min and hash_rounds_max are now supported in the [defaults] section of /etc/libuser.conf. For more information, refer to man libuser.conf 5. * New options sha256, sha512, and rounds are now supported by the pam_unix PAM module. For more information, refer to /usr/share/doc/pam-[pam version]/txts/README.pam_unix. * The following new options in /etc/login.defs are now supported by shadow-utils: o ENCRYPT_METHOD — Specifies the encryption methos to be used. Valid values are DES, MD5, SHA256, SHA512. If this option is defined, MD5_CRYPT_ENAB is ignored. o SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS — Specifies the number of hashing rounds to use if ENCRYPT_METHOD is set to SHA256 orSHA512. If neither option is set, a default value is chosen by glibc. If only one option is set, the encryption method specifies the number of rounds. If both options are used, they specify an inclusive interval from which the number of rounds is chosen randomly. The selected number of rounds is limited to the inclusive interval [1000, 999999999]. </quote> please advise if any further revisions are required. for a better view of the note after formatting, please refer to: http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html
Thank you. I don't think "man libuser.conf 5" is a correct way to refer to the man page. (It works as a command, but reports "No manual entry for 5" after closing the man page.) The traditional format is "libuser.conf(5)"; the command to open the man page is "man 5 libuser.conf", or just "man libuser.conf". I have two additional, minor, suggestions about the current text: - The title of the section should, if possible, say that the paragraph refers to password hashing, not to SHA-{256,512} in general. Perhaps "Password hashing using SHA-256 and SHA-512"? (Or should that be "SHA-256 or SHA-512"? Each password is hashed using one of the two hashes, but different passwords may use different hashes.) - > Appropriate options were also added to libuser, pam, and shadow-utils to > support these password hashing algorithms. authconfig configures necessary > options automatically, so it is usually not necessary to modify them manually. > > The following updates were also applied to support SHA-256 and SHA-512 hash > functions: > > * .... The list describes the options that are mentioned in the first quoted paragraph - I'm not sure it is correct to call them "updates".
thanks Miloslav, revised as suggested. - man command corrected ("man libuser.conf") - title changed to "Password Hashing Using SHA-256/SHA-512" - removed para "The following updates were also applied..."
Hi, the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at which point no further additions or revisions will be entertained. a mockup of the RHEL5.2 release notes can be viewed at the following link: http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html please use the aforementioned link to verify if your bugzilla is already in the release notes (if it needs to be). each item in the release notes contains a link to its original bug; as such, you can search through the release notes by bug number. Cheers, Don