1 |
As of today =sys-libs/glibc-2.8_p20080602-r1 is available for installation |
2 |
on 'stable' hardened systems. As =sys-libs/glibc-2.8_p20080602-r1 will be |
3 |
compiled against also stable =sys-kernel/linux-headers-2.6.27-r2, it is |
4 |
recommended one first upgrade to a >=sys-kernel/hardened-sources-2.6.27 |
5 |
kernel. Running a <=sys-kernel/*-2.6.27 kernel on a system with |
6 |
=sys-libs/glibc-2.8_p20080602-r1 compiled against |
7 |
=sys-kernel/linux-headers-2.6.27-r2 has not be tested by the Gentoo Hardened |
8 |
team and is not supported. |
9 |
|
10 |
Now on to the fun... |
11 |
|
12 |
To attain sha512 shadow password hash capability one must: |
13 |
1. Upgrade to >=sys-libs/glibc-2.8 |
14 |
2. Compile (+install) >=sys-libs/pam-1 against >=sys-libs/glibc-2.8 |
15 |
3. Compile (+install) >=sys-auth/pambase-20081028 with USE="sha512" (enabled |
16 |
by default) |
17 |
|
18 |
Any newly created or changed user passwords will now be stored via sha512 hash |
19 |
rather than md5. Be aware, sha512 password hashes are not backward |
20 |
compatible with older glibc/pam. |
21 |
|
22 |
Let's find all md5 password hashes: |
23 |
|
24 |
# fgrep '$1$' /etc/shadow |
25 |
|
26 |
Simply change the password for any listed account to have the password stored |
27 |
via sha512 hash. :) |
28 |
|
29 |
Many thanks go to Diego "Flameeyes" Pettenò for maintaining PAM and making |
30 |
sha512 shadow password hash capability a reality in Gentoo. |
31 |
|
32 |
That is all. |
33 |
|
34 |
Gordon Malm (gengor) |