Red Hat Bugzilla – Bug 500176
RFE: Update auth / authconfig kickstart options to include sha256 and/or sha512
Last modified: 2009-05-19 11:10:58 EDT
Description of problem:
Authconfig supports the more secure sha256 and sha512 algorithms for password protection, however these options are not enabled in anaconda for kickstarting, nor are they in the authconfig-tui run for firstboot.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install red hat 5.3 with a kickstart file
2. see http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
--enablemd5 is available
--enablesha512 is not listed in the documentation, nor does it work if you try it anyway.
Following http://csrc.nist.gov/groups/ST/hash/statement.html, it would be nice for more paranoid admins to have the ability to choose sha256 or sha512 as the default from the menu or via kickstart.
The next major release of RHEL will no longer have these constraints, nor will it miss future parameters added to the authconfig command. Instead of parsing that line ourselves and then passing it on to authconfig, we just pass the entire string on and let authconfig worry about whether it supports a given parameter or not.
This is a bit of a large change to go into an update release so it probably won't get backported. Just supporting these options is easier, but leaves us open to similar issues in the future. So I'd prefer to just deal with this in RHEL6 if at all possible. If you do require this change in an update release of RHEL5, please speak with your support representative who will be happy to raise this through the appropriate channels so we can deal with the scheduling of it. Thanks for the bug report.