changing password hashing to something other than md5 in /etc/shadow

Craig White craig at tobyhouse.com
Fri Aug 24 14:48:10 MST 2007


On Fri, 2007-08-24 at 14:19 -0700, Technomage-hawke wrote:
> On Friday 24 August 2007 03:04, Technomage-hawke wrote:
> > ok,
> >
> > * I've googled for it (no luck, but certainly lots of 'interesting' reading
> > material)
> >  * I've tried reading all the syste. documentation I can find
> >
> > * I've even tried hunting down the files to allow this.
> >
> > how do I hanged the hashing algorithm used in /etc/shadow?
> > I need to use something other than MD5 or DES (was looking at whirlpool,
> > AES, sha-5 or above).
> >
> > some suggestions please?
> ok,
> well, it looks like I am going to have to get hold of the pam source 
> developers on this one. 
> it should be easy to have pam do other forms of hashing (other than 
> DES/MD5/SHA*/BLOWFISH) but there is very little documentation at (for some 
> reason, not much development).
> 
> I hate to say this, but MD5 is pitifully weakand I know that DES is not only 
> breakable, there are rainbow lists for every possible combination of hash for 
> it. the SHA series has some problems of its own. personally, I'd rather have 
> TIGER, WHIRLPOOL or AES in the hash but I don't see any way of doing that 
> currently.
----
see here's the thing...when you use LDAP, there isn't a static file to
run decryption again so the only thing you can do is to capture traffic
on the wire itself which would likely have an entirely different
encryption mechanism (i.e. ssh/3DES) so I think your thinking inside the
box.

But I have to ask...why not just use kerberos?

-- 
Craig White <craig at tobyhouse.com>



More information about the PLUG-discuss mailing list