Bug 500176 - RFE: Update auth / authconfig kickstart options to include sha256 and/or sha512
RFE: Update auth / authconfig kickstart options to include sha256 and/or sha512
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: anaconda (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Anaconda Maintenance Team
Release Test Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-11 10:18 EDT by Jim Perrin
Modified: 2009-05-19 11:10 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-19 11:10:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Perrin 2009-05-11 10:18:01 EDT
Description of problem:
Authconfig supports the more secure sha256 and sha512 algorithms for password protection, however these options are not enabled in anaconda for kickstarting, nor are they in the authconfig-tui run for firstboot. 


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. install red hat 5.3 with a kickstart file
2. see http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
3. 
  
Actual results:
--enablemd5 is available

Expected results:
--enablesha512 is not listed in the documentation, nor does it work if you try it anyway. 

Additional info:
Following http://csrc.nist.gov/groups/ST/hash/statement.html, it would be nice for more paranoid admins to have the ability to choose sha256 or sha512 as the default from the menu or via kickstart.
Comment 1 Chris Lumens 2009-05-19 11:10:58 EDT
The next major release of RHEL will no longer have these constraints, nor will it miss future parameters added to the authconfig command.  Instead of parsing that line ourselves and then passing it on to authconfig, we just pass the entire string on and let authconfig worry about whether it supports a given parameter or not.

This is a bit of a large change to go into an update release so it probably won't get backported.  Just supporting these options is easier, but leaves us open to similar issues in the future.  So I'd prefer to just deal with this in RHEL6 if at all possible.  If you do require this change in an update release of RHEL5, please speak with your support representative who will be happy to raise this through the appropriate channels so we can deal with the scheduling of it.  Thanks for the bug report.

Note You need to log in before you can comment on or make changes to this bug.