#6: Password history (pam_unix) only available on MD5 -------------------------+------------------------------------------------- Reporter: alarrere | Owner: pam-developers@… Type: security | Status: new Priority: critical | Component: modules Version: 1.1.x | Keywords: pam_unix password history remember Blocked By: | md5 sha512 | Blocking: -------------------------+------------------------------------------------- The management of password history is a function of PAM module 'pam_unix.so'
The SHA 256 and 512 are now supported.
Unfortunately, the pam_unix.so module only support MD5 for password history. (File /etc/security/opasswd)
This lack induced a password storage on 2 different cryptographic modes which implies a loss of security level.
After reading the source code of pam_unix module, i can confirm the lack of pam_unix cryptographic mode configuration consultation in 2 specific files:
- passwdverify.c => save_old_password() function - pam_unix_passwd.c => check_old_password() function
The observed side effect is, with a 'sha512' configuration on pam_unix in configuration files of directory /etc/pam.d, we have password stored in /etc/shadow on SHA512 (starting with $6$) and history password stored in /etc/security/opasswd on MD5 (starting with $1$).
#6: Password history (pam_unix) only available on MD5 -------------------------------------------------+------------------------- Reporter: alarrere | Owner: pam- Type: security | developers@… Priority: critical | Status: new Version: 1.1.x | Component: modules Keywords: pam_unix password history remember | Resolution: md5 sha512 | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by tmraz):
I suggest to use the pam_pwhistory module which is recommended for this functionality instead of the remember feature of pam_unix.
#6: Password history (pam_unix) only available on MD5 -------------------------------------------------+------------------------- Reporter: alarrere | Owner: pam- Type: security | developers@… Priority: critical | Status: closed Version: 1.1.x | Component: modules Keywords: pam_unix password history remember | Resolution: wontfix md5 sha512 | Blocked By: Blocking: | -------------------------------------------------+------------------------- Changes (by kukuk):
* resolution: => wontfix * status: new => closed
Comment:
pam_pwhistory.so saves old hash, so the password is stored with the same level of security as in the past. I added now a comment to pam_unix to not use the remember option but to use pam_pwhistory.
pam-developers@lists.fedorahosted.org