435804 – RHEL5.2 Release Notes: SHA-256 and SHA-512 support in password hashing

Bug 435804 - RHEL5.2 Release Notes: SHA-256 and SHA-512 support in password hashing

Summary: RHEL5.2 Release Notes: SHA-256 and SHA-512 support in password hashing

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	redhat-release-notes
Sub Component:
Version:	5.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ryan Lerch
QA Contact:	Joshua Wulf
Docs Contact:
URL:
Whiteboard:
Depends On:	380751 427388 427389 427395 427449 427795
Blocks:	RHEL5u2_relnotes
TreeView+	depends on / blocked

Reported:	2008-03-03 23:00 UTC by Miloslav Trmač
Modified:	2014-10-19 22:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-24 00:51:57 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miloslav Trmač 2008-03-03 23:00:22 UTC

(`...` stands for using the appropriate markup)

Password hashing using the SHA-256 and SHA-512 hash functions is now supported.

To switch to SHA-256 or SHA-512 on an installed system, use `authconfig
--passalgo=sha256 --update` or `authconfig --passalgo=sha512 --update`.  You can
also configure the hashing method in a GUI using `authconfig-gtk`.  Existing
user accounts won't be affected until their passwords are changed.

For newly installed systems, using SHA-256 or SHA-512 can be configured only for
kickstart installations, by using the `--passalgo=sha256` or `--passalgo=sha512`
options (and removing the `--enablemd5` option, if present) of the kickstart
command `auth`.  If your installation does not use kickstart, use `authconfig`
as described above, then change the `root` password and passwords of any other
users created after installation.

New options were added to `libuser`, `pam` and `shadow-utils` to support these
password hashing algorithms.  `authconfig` configures all these options
automatically, so it is usually not necessary to modify them manually.

* New values of the `crypt_style` option and new options
  `hash_rounds_min` and `hash_rounds_max` are now supported in the
  `[defaults]` section of `/etc/libuser.conf`.  See `libuser.conf(5)`
  for more details.

* New options `sha256`, `sha512` and `rounds` are now supported by the
  `pam_unix` PAM module.  See
  `/usr/share/doc/pam-*/txts/README.pam_unix` for more details.

* The following new options in `/etc/login.defs` are now supported by
  `shadow-utils`:

  - `ENCRYPT_METHOD`: One of `DES`, `MD5`, `SHA256`, `SHA512`.  If this
     option is defined, `MD5_CRYPT_ENAB` is ignored.

  - `SHA_CRYPT_MIN_ROUNDS`, `SHA_CRYPT_MAX_ROUNDS`: Specify the number
    of hashing rounds to use if `ENCRYPT_METHOD` is `SHA256` or
    `SHA512`.  If neither option is present, a default value is chosen
    by `glibc`.  If only one option is present, it specifies the number
    of rounds.  If both options are present, they specify an inclusive
    interval from which the number of rounds is chosen randomly.  The
    selected number of rounds is limited to the inclusive interval
    [1000, 999999999].

Comment 1 Don Domingo 2008-03-05 00:57:43 UTC

thanks Miloslav! minor edits as follows:

<quote>
SHA-256 and SHA-512 Hash Functions

    Password hashing using the SHA-256 and SHA-512 hash functions is now supported.

    To switch to SHA-256 or SHA-512 on an installed system, run authconfig
--passalgo=sha256 --update or authconfig --passalgo=sha512 --update. To
configure the hashing method through a GUI, use authconfig-gtk. Existing user
accounts will not be affected until their passwords are changed.

    For newly installed systems, using SHA-256 or SHA-512 can be configured only
for kickstart installations. To do so, use the --passalgo=sha256 or
--passalgo=sha512 options of the kickstart command auth; also, remove the
--enablemd5 option if present.

    If your installation does not use kickstart, use authconfig as described
above, then change all passwords (including root) created after installation.

    Appropriate options were also added to libuser, pam, and shadow-utils to
support these password hashing algorithms. authconfig configures necessary
options automatically, so it is usually not necessary to modify them manually.

    The following updates were also applied to support SHA-256 and SHA-512 hash
functions:

        * New values of the crypt_style option and new options for both
hash_rounds_min and hash_rounds_max are now supported in the [defaults] section
of /etc/libuser.conf. For more information, refer to man libuser.conf 5.
        * New options sha256, sha512, and rounds are now supported by the
pam_unix PAM module. For more information, refer to /usr/share/doc/pam-[pam
version]/txts/README.pam_unix.
        * The following new options in /etc/login.defs are now supported by
shadow-utils:
              o ENCRYPT_METHOD — Specifies the encryption methos to be used.
Valid values are DES, MD5, SHA256, SHA512. If this option is defined,
MD5_CRYPT_ENAB is ignored.
              o SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS — Specifies the
number of hashing rounds to use if ENCRYPT_METHOD is set to SHA256 orSHA512. If
neither option is set, a default value is chosen by glibc. If only one option is
set, the encryption method specifies the number of rounds.

                If both options are used, they specify an inclusive interval
from which the number of rounds is chosen randomly. The selected number of
rounds is limited to the inclusive interval [1000, 999999999].
</quote>

please advise if any further revisions are required. for a better view of the
note after formatting, please refer to:
http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html

Comment 2 Miloslav Trmač 2008-03-05 01:13:01 UTC

Thank you.

I don't think "man libuser.conf 5" is a correct way to refer to the man page. 
(It works as a command, but reports "No manual entry for 5" after closing the
man page.)  The traditional format is "libuser.conf(5)"; the command to open the
man page is "man 5 libuser.conf", or just "man libuser.conf".

I have two additional, minor, suggestions about the current text:
- The title of the section should, if possible, say that the paragraph refers to
  password hashing, not to SHA-{256,512} in general.  Perhaps
  "Password hashing using SHA-256 and SHA-512"?
  (Or should that be "SHA-256 or SHA-512"?  Each password is hashed using one
  of the two hashes, but different passwords may use different hashes.)

- 
>   Appropriate options were also added to libuser, pam, and shadow-utils to
> support these password hashing algorithms. authconfig configures necessary
> options automatically, so it is usually not necessary to modify them manually.
>
>  The following updates were also applied to support SHA-256 and SHA-512 hash
> functions:
>
>  * ....
  The list describes the options that are mentioned in the first quoted
  paragraph - I'm not sure it is correct to call them "updates".

Comment 3 Don Domingo 2008-03-05 01:52:08 UTC

thanks Miloslav, revised as suggested.

- man command corrected ("man libuser.conf")
- title changed to "Password Hashing Using SHA-256/SHA-512"
- removed para "The following updates were also applied..."

Comment 4 Don Domingo 2008-04-02 02:16:00 UTC

Hi,
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:
http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Cheers,
Don

Note You need to log in before you can comment on or make changes to this bug.