1. Overview
In the ever-evolving landscape of Linux system administration, robust security practices are paramount. Furthermore, password security plays a pivotal role in safeguarding sensitive data and ensuring the integrity of systems when safeguarding user data.
To that end, employing strong password hashing algorithms is an important aspect of enhancing password security.
In this tutorial, we’ll learn how to set the default password algorithm to SHA512. In particular, SHA512 is a highly secure and widely adopted hashing method. Moreover, we’ll look at a real-life scenario to illustrate each step, ensuring a comprehensive understanding of the process.
2. Theoretical Understanding
In this section, we’ll go through some of the theoretical information for understanding before we start checking out practical scenarios.
2.1. SHA512 Advantages
SHA512 is a cryptographic hash function. In detail, it stands out as a formidable option due to its extensive computational complexity, making it extremely difficult for even the most powerful computers to decrypt.
Let’s see some of the SHA512 advantages:
- strong security: high level of security because it’s computationally complex
- resistance to brute-force attacks: algorithm extremely resistant to brute-force attacks, where attackers try all possible combinations to guess a password or code
- data integrity: ensures the integrity of data by producing a unique hash value for each unique set of data, where even a small change in the input data results in a significantly different hash
- widely used standard: widely adopted standard, compatible with various systems and applications; promoting interoperability and ease of implementation
The above examples are just a part of a wide list of other advantages in favor of the SHA512 hashing algorithm.
2.2. Important Configuration Files
The process of setting the default password algorithm to SHA512 in Linux involves configuring the /etc/login.defs system-wide file. In particular, this file contains various parameters that control user authentication and login behavior.
Let’s check some of the parameters that govern password policies in this file:
- minimum password length
- maximum password age
- whether to require a password change on the first login
Furthermore, the specific parameter we’ll be modifying is ENCRYPT_METHOD, which dictates the password hashing algorithm we employ when generating and storing password hashes.
The default value of ENCRYPT_METHODis typically SHA256, which offers decent password security. However, switching to SHA512 provides an extra layer of protection by making it computationally infeasible for attackers to decipher passwords using brute-force or dictionary attacks.
3. Step-by-Step Practical Guide
In this section, we’ll follow a step-by-step guide to configure the hashing algorithm SHA512.
3.1. Managing /etc/login.defs
To begin with, let’s open the login.defs file for editing:
$ sudo vim /etc/login.defs
QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
MAIL_FILE .mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
...
ENCRYPT_METHOD SHA256
In the above snippet, we used the sudo command to have superuser privileges. Afterward, we used the vim command to open the file within the vim editor scope. We chose Vim, but we could have used any editor such as nano or even sed. Finally, we supplied the file path, /etc/login.defs.
3.2. Modifying ENCRYPT_METHOD
Next, we navigate or search the login.defs file using the vim editor to search for the parameter ENCRYPT_METHOD. As we can see from the snippet above, the hashing algorithm used in this example is SHA256. Accordingly, we’ll change this to our custom preference and set it to SHA512.
Let’s check how to modify the ENCRYPT_METHOD parameter:
:%s/SHA-256$/SHA-512/g
Here, we use the search and replace command to find the string SHA-256 at the $ end of a line in the /etc/login.defs file and replace it with SHA-512. In particular, s stands for substitute, and the SHA-512 string is the replacement text. Finally, the g at the end means global or a replacement of all occurrences.
Finally, we open the file again using the Vim editor to make sure the value has changed:
$ cat /etc/login.defs
QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
MAIL_FILE .mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
...
ENCRYPT_METHOD SHA512
Here, we used the cat command to view and thus verify the change.
4. Modifying PAM Services
As Linux uses Pluggable Authentication Modules (PAM), we need to change the configuration in the /etc/pam.d/common-password file to ensure we set the proper way the system should handle password-related tasks.
Particularly, PAM is a framework used by modern Unix-like operating systems to manage authentication. In addition, PAM enables modular and flexible authentication configurations.
4.1. Updating /etc/pam.d/common-password
In this case, specifying SHA512 as the encryption method ensures that password hashing uses the more secure SHA512 algorithm from the PAM perspective.
Let’s check how to modify the /etc/pam.d/common-password file:
$ sudo vim /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so sha512
In the above example, we used the Vim editor to open the /etc/pam.d/common-password file. Next, we look for a line that starts with password. This line typically contains configurations related to password management.
Finally, we change the hashing algorithm to SHA512, if it was not set to this value already.
4.2. Validating Changes
After we save the change and exit the Vim editor, we can validate the change.
To ensure that the updated password hashing algorithm is fully integrated into the system, it’s often a good practice to restart the pam-* services. In essence, these services manage authentication for various applications, including the login process. Additionally, restarting them triggers a reload of the /etc/login.defs file, incorporating the new password hashing algorithm.
Let’s restart the pam-* services:
# systemctl restart pam-*
pam-auth-update
Stopping system-authd daemon...
Starting system-authd daemon...
End of pam_auth_update
In the above snippet, we use the command systemctl restart. Thus, we interact with systemd, manage system services, and control various aspects of the system’s behavior.
Finally, it’s important to note that existing users may need to change their passwords to comply with the new password hashing algorithm. This is because existing passwords might have been generated using the previous algorithm. Since we increased the algorithm security, failing to do so might leave some passwords more vulnerable.
5. Conclusion
In this article, we updated /etc/login.defs and /etc/pam.d/common-password to fortify the security of user passwords in our Linux environment by switching the hashing algorithm.
As system administrators, embracing and implementing robust security practices is a continuous process. So, the utilization of SHA512 serves as a proactive measure against potential security threats, ensuring the confidentiality and integrity of user passwords.
In summary, we navigated through the theoretical foundations and practical steps of setting the default password algorithm to SHA512 in Linux.