Red Hat Bugzilla – Bug 439805
RHEL4.7 Release Notes: Password Hashing using SHA-256/SHA-512
Last modified: 2008-08-27 20:03:14 EDT
(`...` stands for the appropriate markup)
Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, run `authconfig
--passalgo=sha256 --kickstart` or `authconfig --passalgo=sha512 --kickstart`.
Existing user accounts will not be affected until their passwords are changed.
For newly installed systems, using SHA-256 or SHA-512 can be configured only
for kickstart installations. To do so, use the `--passalgo=sha256` or
`--passalgo=sha512` options of the kickstart command `auth`; also, remove the
`--enablemd5` option if present.
If your installation does not use kickstart, use `authconfig` as described
above, then change all passwords (including `root`) created after installation.
Appropriate options were also added to `libuser`, `pam`, and `shadow-utils` to
support these password hashing algorithms. `authconfig` configures necessary
options automatically, so it is usually not necessary to modify them manually.
* New values of the `crypt_style` option and new options for both
`hash_rounds_min` and `hash_rounds_max` are now supported in the `[defaults]`
section of `/etc/libuser.conf`. For more information, refer to
* New options `sha256`, `sha512`, and `rounds` are now supported by the
`pam_unix` PAM module. For more information, refer to
* The following new options in `/etc/login.defs` are now supported by
o `ENCRYPT_METHOD` — Specifies the encryption methos to be used. Valid
values are `DES`, `MD5`, `SHA256`, `SHA512`. If this option is defined,
`MD5_CRYPT_ENAB` is ignored.
o `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` — Specifies the number
of hashing rounds to use if `ENCRYPT_METHOD` is set to `SHA256` or
`SHA512`. If neither option is set, a default value is chosen by
`glibc`. If only one option is set, the encryption method specifies the
number of rounds.
If both options are used, they specify an inclusive interval from which
the number of rounds is chosen randomly. The selected number of rounds is
limited to the inclusive interval [1000, 999999999].
Miloslav, this is the exact same release note that appears in the RHEL5.2
release notes, right?
* authconfig uses --kickstart instead of --update
* authconfig GUI does not support changing the hash
* libuser.conf man page does not exist
Perhaps there are other changes I cannot remember.
noted. release note added to RHEL4.7 under "Feature Updates". thanks!
the RHEL4.7 release notes deadline is on June 17, 2008 (Tuesday). they will
undergo a final proofread before being dropped to translation, at which point no
further additions or revisions will be entertained.
a mockup of the RHEL4.7 release notes can be viewed here:
please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
Please change both occurrences of "--update" in the release note to "--kickstart".
"--update" is not supported in RHEL4.
thanks Miloslav. release notes revised (updated on mockup link as well)