search

ghoneycutt / puppet-module-pam

Puppet module to manage PAM
Other
18 stars 80 forks source link

Use SHA512 instead of md5 for for passwords on EL6 and EL7 #196

Closed synaptis closed 5 years ago

synaptis commented 5 years ago

MD5 is old and no longer considered secure. This PR replaces MD5 with SHA512 for RHEL 6 & 7 systems.

ghoneycutt commented 5 years ago

@synaptis Thanks for the PR! We want to be sure that this patch does not break older systems that might be doing md5 by default. Could you link to documentation around this from RedHat? Does it require any special pam packages to be installed?

ghoneycutt commented 5 years ago

BTW, the spec tests failed because the fixtures need to be updated.

https://github.com/ghoneycutt/puppet-module-pam/tree/master/spec/fixtures

synaptis commented 5 years ago

@synaptis Thanks for the PR! We want to be sure that this patch does not break older systems that might be doing md5 by default. Could you link to documentation around this from RedHat? Does it require any special pam packages to be installed?

No worries, we are a RHEL shop and I figure a PR is more useful than us creating our own fork.

The sha512 encryption algorithm has been supported via the crypt function since glibc 2.7. RHEL 6 currently ships with glibc-2.12-1.212.el6.x86_64, RHEL 7 with glibc-2.17-222.el7.x86_64. No additonal pam packages required.

Both RHEL 6 and 7 encrypt passwords with sha512 by default: RHEL 6 security guide. RHEL 7 security guide.

The PAM documentation on the pam.unix.so module has this: sha512 When a user changes their password next, encrypt it with the SHA512 algorithm. If the SHA512 algorithm is not known to the crypt(3) function, fall back to MD5.

synaptis commented 5 years ago

BTW, the spec tests failed because the fixtures need to be updated.

https://github.com/ghoneycutt/puppet-module-pam/tree/master/spec/fixtures

Sorry about that, I'm still a bit new to unit tests. I'll get it sorted out.

ghoneycutt commented 5 years ago

@synaptis Thanks, this looks great! Could you please rebase and squash your commits into one commit with a subject similar to

(GH-196) Use SHA512 instead of MD5 for passwords on EL6 and EL7

I'll get this verified on some VM's and get it merged.

synaptis commented 5 years ago

All done. Rebase and squash was new to me but I'm pretty sure it's done right.

ghoneycutt commented 5 years ago

Fixes #166

ghoneycutt commented 5 years ago

Released in v3.2.0