#6: Password history (pam_unix) only available on MD5 -------------------------+------------------------------------------------- Reporter: alarrere | Owner: pam-developers@… Type: security | Status: new Priority: critical | Component: modules Version: 1.1.x | Keywords: pam_unix password history remember Blocked By: | md5 sha512 | Blocking: -------------------------+------------------------------------------------- The management of password history is a function of PAM module 'pam_unix.so' The SHA 256 and 512 are now supported. Unfortunately, the pam_unix.so module only support MD5 for password history. (File /etc/security/opasswd) This lack induced a password storage on 2 different cryptographic modes which implies a loss of security level. After reading the source code of pam_unix module, i can confirm the lack of pam_unix cryptographic mode configuration consultation in 2 specific files: - passwdverify.c => save_old_password() function - pam_unix_passwd.c => check_old_password() function The observed side effect is, with a 'sha512' configuration on pam_unix in configuration files of directory /etc/pam.d, we have password stored in /etc/shadow on SHA512 (starting with $6$) and history password stored in /etc/security/opasswd on MD5 (starting with $1$). -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/6> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project