Bug 439805 - RHEL4.7 Release Notes: Password Hashing using SHA-256/SHA-512
Summary: RHEL4.7 Release Notes: Password Hashing using SHA-256/SHA-512
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: redhat-release
Version: 4.7
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Ryan Lerch
QA Contact: Content Services Development
Depends On: 228697 427384 427394 427397 427448 427800
Blocks: RHEL4u7_relnotes
TreeView+ depends on / blocked
Reported: 2008-03-31 14:55 UTC by Miloslav Trmač
Modified: 2008-08-28 00:03 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2008-08-28 00:03:14 UTC

Attachments (Terms of Use)

Description Miloslav Trmač 2008-03-31 14:55:29 UTC
(`...` stands for the appropriate markup)

Password hashing using the SHA-256 and SHA-512 hash functions is now supported.

To switch to SHA-256 or SHA-512 on an installed system, run `authconfig
--passalgo=sha256 --kickstart` or `authconfig --passalgo=sha512 --kickstart`.
Existing user accounts will not be affected until their passwords are changed.

For newly installed systems, using SHA-256 or SHA-512 can be configured only
for kickstart installations. To do so, use the `--passalgo=sha256` or
`--passalgo=sha512` options of the kickstart command `auth`; also, remove the
`--enablemd5` option if present.

If your installation does not use kickstart, use `authconfig` as described
above, then change all passwords (including `root`) created after installation.

Appropriate options were also added to `libuser`, `pam`, and `shadow-utils` to
support these password hashing algorithms.  `authconfig` configures necessary
options automatically, so it is usually not necessary to modify them manually.

* New values of the `crypt_style` option and new options for both
  `hash_rounds_min` and `hash_rounds_max` are now supported in the `[defaults]`
  section of `/etc/libuser.conf`. For more information, refer to
  `/usr/share/doc/libuser-[libuser version]/README.sha`.

* New options `sha256`, `sha512`, and `rounds` are now supported by the
  `pam_unix` PAM module. For more information, refer to
  `/usr/share/doc/pam-[pam version]/txts/README.pam_unix`.

* The following new options in `/etc/login.defs` are now supported by

   o `ENCRYPT_METHOD` — Specifies the encryption methos to be used.  Valid
     values are `DES`, `MD5`, `SHA256`, `SHA512`. If this option is defined,
     `MD5_CRYPT_ENAB` is ignored.

   o `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` — Specifies the number
      of hashing rounds to use if `ENCRYPT_METHOD` is set to `SHA256` or
      `SHA512`. If neither option is set, a default value is chosen by
      `glibc`. If only one option is set, the encryption method specifies the
      number of rounds.

      If both options are used, they specify an inclusive interval from which
      the number of rounds is chosen randomly. The selected number of rounds is
      limited to the inclusive interval [1000, 999999999].

Comment 1 Don Domingo 2008-03-31 22:48:30 UTC
Miloslav, this is the exact same release note that appears in the RHEL5.2
release notes, right? 

Comment 2 Miloslav Trmač 2008-03-31 23:29:20 UTC
* authconfig uses --kickstart instead of --update
* authconfig GUI does not support changing the hash
* libuser.conf man page does not exist
Perhaps there are other changes I cannot remember.

Comment 3 Don Domingo 2008-03-31 23:39:43 UTC
noted. release note added to RHEL4.7 under "Feature Updates". thanks!

Comment 4 Don Domingo 2008-06-02 23:15:29 UTC

the RHEL4.7 release notes deadline is on June 17, 2008 (Tuesday). they will
undergo a final proofread before being dropped to translation, at which point no
further additions or revisions will be entertained.

a mockup of the RHEL4.7 release notes can be viewed here:

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.


Comment 5 Miloslav Trmač 2008-06-02 23:24:25 UTC
Please change both occurrences of "--update" in the release note to "--kickstart".

"--update" is not supported in RHEL4.

Comment 6 Don Domingo 2008-06-02 23:51:13 UTC
thanks Miloslav. release notes revised (updated on mockup link as well)

Note You need to log in before you can comment on or make changes to this bug.