Bug 700185 - Default action of pam_unix.so
Summary: Default action of pam_unix.so
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-27 17:18 UTC by Mike
Modified: 2020-04-30 09:57 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-04-30 09:57:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mike 2011-04-27 17:18:49 UTC
Description of problem:

The "default" action of the pam_unix.so module, when used in the password group, is to encrypt the password with the old DES encryption.

Like most pam modules, this is easily modified using additional options after using the module, and there are secure options available.

I am putting the idea out there, that the "default" option, or the option when no additional flags are passed to the pam_unix.so module, that it defaults to something more secure than DES encryption.


Version-Release number of selected component (if applicable):

5.8

How reproducible:

Can reproduce every time

Steps to Reproduce:
1. In any of the pam.d files, if the option is set:

password   required  pam_unix.so

  
Actual results:

Password is encrypted using DES

Expected results:

Password should be encrypted with a more secure algorithm such as SHA[256|512], or even md5 may be acceptable.

Additional info:

Comment 1 Tomas Mraz 2011-04-27 21:22:36 UTC
This default cannot be changed in an already released Red Hat Enterprise Linux release. This should be requested as a feature for future Fedora Linux release so it can be included in a future Red Hat Enterprise Linux release.

Comment 2 Mike 2011-04-29 23:35:49 UTC
I think the administrator or operator of the system should have to specify to actually downgrade the security to DES, rather than accidentally delete the flags, and lose a fair amount of security based on the default action of pam_unix.so

Comment 3 Tomas Mraz 2011-05-02 07:34:00 UTC
I agree with you that the default should be changed, but it cannot be changed for already released Red Hat Enterprise Linux releases.

Comment 4 Tomas Mraz 2018-12-20 15:20:32 UTC
This is going to be implemented for Fedora 30 with the switch to libxcrypt use.

Comment 5 Iker Pedrosa 2020-04-30 09:57:13 UTC
This has already been fixed and it's included at least in Fedora 31 and 32. There's a directive in login.defs file called ENCRYPT_METHOD that allows to change the default encryption method to a more secure one.  In the aforementioned versions ENCRYPT_METHOD is set to SHA512 by default.


Note You need to log in before you can comment on or make changes to this bug.