| 1 |
As of today =sys-libs/glibc-2.8_p20080602-r1 is available for installation |
| 2 |
on 'stable' hardened systems. As =sys-libs/glibc-2.8_p20080602-r1 will be |
| 3 |
compiled against also stable =sys-kernel/linux-headers-2.6.27-r2, it is |
| 4 |
recommended one first upgrade to a >=sys-kernel/hardened-sources-2.6.27 |
| 5 |
kernel. Running a <=sys-kernel/*-2.6.27 kernel on a system with |
| 6 |
=sys-libs/glibc-2.8_p20080602-r1 compiled against |
| 7 |
=sys-kernel/linux-headers-2.6.27-r2 has not be tested by the Gentoo Hardened |
| 8 |
team and is not supported. |
| 9 |
|
| 10 |
Now on to the fun... |
| 11 |
|
| 12 |
To attain sha512 shadow password hash capability one must: |
| 13 |
1. Upgrade to >=sys-libs/glibc-2.8 |
| 14 |
2. Compile (+install) >=sys-libs/pam-1 against >=sys-libs/glibc-2.8 |
| 15 |
3. Compile (+install) >=sys-auth/pambase-20081028 with USE="sha512" (enabled |
| 16 |
by default) |
| 17 |
|
| 18 |
Any newly created or changed user passwords will now be stored via sha512 hash |
| 19 |
rather than md5. Be aware, sha512 password hashes are not backward |
| 20 |
compatible with older glibc/pam. |
| 21 |
|
| 22 |
Let's find all md5 password hashes: |
| 23 |
|
| 24 |
# fgrep '$1$' /etc/shadow |
| 25 |
|
| 26 |
Simply change the password for any listed account to have the password stored |
| 27 |
via sha512 hash. :) |
| 28 |
|
| 29 |
Many thanks go to Diego "Flameeyes" Pettenò for maintaining PAM and making |
| 30 |
sha512 shadow password hash capability a reality in Gentoo. |
| 31 |
|
| 32 |
That is all. |
| 33 |
|
| 34 |
Gordon Malm (gengor) |
Archives