#6: Password history (pam_unix) only available on MD5
-------------------------+-------------------------------------------------
Reporter: alarrere | Owner: pam-developers@…
Type: security | Status: new
Priority: critical | Component: modules
Version: 1.1.x | Keywords: pam_unix password history remember
Blocked By: | md5 sha512
| Blocking:
-------------------------+-------------------------------------------------
The management of password history is a function of PAM module
'pam_unix.so'
The SHA 256 and 512 are now supported.
Unfortunately, the pam_unix.so module only support MD5 for password
history. (File /etc/security/opasswd)
This lack induced a password storage on 2 different cryptographic modes
which implies a loss of security level.
After reading the source code of pam_unix module, i can confirm the lack
of pam_unix cryptographic mode configuration consultation in 2 specific
files:
- passwdverify.c => save_old_password() function
- pam_unix_passwd.c => check_old_password() function
The observed side effect is, with a 'sha512' configuration on pam_unix in
configuration files of directory /etc/pam.d, we have
password stored in /etc/shadow on SHA512 (starting with $6$) and history
password stored in /etc/security/opasswd on MD5 (starting with $1$).
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/6>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project