Bug 700185 - Default action of pam_unix.so
Default action of pam_unix.so
Status: NEW
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2011-04-27 13:18 EDT by Mike
Modified: 2011-05-02 03:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mike 2011-04-27 13:18:49 EDT
Description of problem:

The "default" action of the pam_unix.so module, when used in the password group, is to encrypt the password with the old DES encryption.

Like most pam modules, this is easily modified using additional options after using the module, and there are secure options available.

I am putting the idea out there, that the "default" option, or the option when no additional flags are passed to the pam_unix.so module, that it defaults to something more secure than DES encryption.

Version-Release number of selected component (if applicable):


How reproducible:

Can reproduce every time

Steps to Reproduce:
1. In any of the pam.d files, if the option is set:

password   required  pam_unix.so

Actual results:

Password is encrypted using DES

Expected results:

Password should be encrypted with a more secure algorithm such as SHA[256|512], or even md5 may be acceptable.

Additional info:
Comment 1 Tomas Mraz 2011-04-27 17:22:36 EDT
This default cannot be changed in an already released Red Hat Enterprise Linux release. This should be requested as a feature for future Fedora Linux release so it can be included in a future Red Hat Enterprise Linux release.
Comment 2 Mike 2011-04-29 19:35:49 EDT
I think the administrator or operator of the system should have to specify to actually downgrade the security to DES, rather than accidentally delete the flags, and lose a fair amount of security based on the default action of pam_unix.so
Comment 3 Tomas Mraz 2011-05-02 03:34:00 EDT
I agree with you that the default should be changed, but it cannot be changed for already released Red Hat Enterprise Linux releases.

Note You need to log in before you can comment on or make changes to this bug.