Closed toutoen closed 1 year ago
cf https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password
The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)).
$ /opt/cis-hardening/bin/hardening.sh --sudo --audit --allow-unsupported-distribution --only 5.3.4 [...] hardening [INFO] Treating /opt/cis-hardening/bin/hardening/5.3.4_acc_pam_sha512.sh 5.3.4_acc_pam_sha512 [INFO] Working on 5.3.4_acc_pam_sha512 5.3.4_acc_pam_sha512 [INFO] [DESCRIPTION] Check that any password that may exist in /etc/shadow is SHA512 hashed and salted 5.3.4_acc_pam_sha512 [INFO] Checking Configuration 5.3.4_acc_pam_sha512 [INFO] Performing audit 5.3.4_acc_pam_sha512 [ KO ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is not present in /etc/pam.d/common-password 5.3.4_acc_pam_sha512 [ KO ] Check Failed ################### SUMMARY ################### Total Available Checks : 1 Total Runned Checks : 1 Total Passed Checks : [ 0/1 ] Total Failed Checks : [ 1/1 ] Enabled Checks Percentage : 100.00 % Conformity Percentage : 0 %
cf https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password