PDA

View Full Version : How-to: change default password hash with PAM



leapvalley
09-Dec-2011, 13:26
_Summary_

kernel 2.6.32.46-0.3 (SLES 11 SP1)
pam-config-0.68-1.22
pam-doc-1.0.4-0.7.1
pam-modules-32bit-11-1.18.1
pam-1.0.4-0.7.1
pam-32bit-1.0.4-0.7.1
pam-modules-11-1.18.1
pam_mount-32bit-0.47-13.13.65
pam_mount-0.47-13.13.65
yast2-pam-2.17.2-0.1.79

I'm relatively new to SLES, and I've really struggled to get my head
around PAM configuration. Mostly there now, but the biggest hurdle by
far was getting SHA256 hashes on my shadow passwords.

The updated documentation for PAM_UNIX2 points me in the right
direction, but it's not at all clear. Hopefully this will help any
other newcomers with the same issue.

Start with a default config:

*pam-config -c*
then update /etc/default/passwd and change as follows:

CRYPT=SHA256
CRYPT_FILES=SHA256

M.


--
leapvalley
------------------------------------------------------------------------
leapvalley's Profile: http://forums.novell.com/member.php?userid=121002
View this thread: http://forums.novell.com/showthread.php?t=449382

ab
09-Dec-2011, 14:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Typically I make this kind of change via Yast.

sudo /sbin/yast
Security and Users
Local Security
Password Settings
Password Encryption Method.

I think that is the right way to go, though on my SLES 11 (no SP)
machine I do not see SHA256 as an option so your way may expost other
options not yet enabled in Yast. Just be careful that the next time you
use Yast it doesn't overwrite your manually-made changes.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO4hEgAAoJEF+XTK08PnB5OWgP/iqxi5EvWhi6GtcJIFHxCyjr
eceUnNu5HmCrOu+Wbawn1B/1Xk23gcZT3JBGtptdxxVJiKdarj3newRAA4bO/okZ
ApcTIQ6SAzMcyCe9ROubfn2LXBq2DjoJxwUuayvlbdfWSbK1sL sj76M6RgBIgSAz
GXz80bEJ2UrPs6I/siFofYao6HKsRJLPmOqP1Si9B8sQxJackFnhxEU1hBvw+a+x
LHgoEq+paeCpNxd2TSItFKWEtJVYJ4f7+jJQyIU2grOF/IzxCg2Utp6AeuVRla2r
8X7n+3a4uC63AqxMoB55lvsi3FVDAhWeBYWwfxY03PVYcrEM5k of6crGMPGpEXh+
fgqHwJdYSocr2BpEb8Y1XwohP11SH40OM7VHvrMvfSJ/sSLZQMc2is8hAE5doRKX
36vFFtrilKif89DVa5p1TWLW6nhscZhyftJUIKh+4VP0jjytee BhL0xXWrCwNGNG
loDcoVRwk2MNeS6PtdqBale/rkiVGNBCNOCmup1r8e9zZQeVSrjOEviim/I4sgrx
8ssHS5JCgy6MmzWaMVKX1apvo5om1xjvUSkx36Q0ECDezCKk+w DT0gbnipvIEei4
FByD2QYTLoVuZfgaYZSgLyF3GEJIkic0cJjGuUUsfZewSBtf7l ts4/NQIg00o0LD
JOoRd3106S4qRNSu2FI1
=CKek
-----END PGP SIGNATURE-----