Description of problem: The "default" action of the pam_unix.so module, when used in the password group, is to encrypt the password with the old DES encryption. Like most pam modules, this is easily modified using additional options after using the module, and there are secure options available. I am putting the idea out there, that the "default" option, or the option when no additional flags are passed to the pam_unix.so module, that it defaults to something more secure than DES encryption. Version-Release number of selected component (if applicable): 5.8 How reproducible: Can reproduce every time Steps to Reproduce: 1. In any of the pam.d files, if the option is set: password required pam_unix.so Actual results: Password is encrypted using DES Expected results: Password should be encrypted with a more secure algorithm such as SHA[256|512], or even md5 may be acceptable. Additional info:
This default cannot be changed in an already released Red Hat Enterprise Linux release. This should be requested as a feature for future Fedora Linux release so it can be included in a future Red Hat Enterprise Linux release.
I think the administrator or operator of the system should have to specify to actually downgrade the security to DES, rather than accidentally delete the flags, and lose a fair amount of security based on the default action of pam_unix.so
I agree with you that the default should be changed, but it cannot be changed for already released Red Hat Enterprise Linux releases.
This is going to be implemented for Fedora 30 with the switch to libxcrypt use.
This has already been fixed and it's included at least in Fedora 31 and 32. There's a directive in login.defs file called ENCRYPT_METHOD that allows to change the default encryption method to a more secure one. In the aforementioned versions ENCRYPT_METHOD is set to SHA512 by default.