summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Maw <richard.maw@codethink.co.uk>2015-04-14 16:21:16 +0100
committerBaserock Gerrit <gerrit@baserock.org>2015-05-05 13:51:32 +0000
commit93db3685bce720ca523ba5be8699e7d18f33806a (patch)
tree4af9df386e891cbe83d6f64b71fbd445d72082d5
parent62d1a56a6629c287a1fe88040a893f401276b86c (diff)
downloaddefinitions-93db3685bce720ca523ba5be8699e7d18f33806a.tar.gz
shadow/PAM: Use SHA512 rather than DES for password hashes
DES truncates passwords, so is an insecure default. Change-Id: I3fc7fe55a855ff762e51ef9d71fd6741b1cbc428
-rw-r--r--strata/core/shadow.morph15
1 files changed, 13 insertions, 2 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph
index d709ddcb..34ec6197 100644
--- a/strata/core/shadow.morph
+++ b/strata/core/shadow.morph
@@ -31,9 +31,20 @@ post-install-commands:
PASS_CHANGE_TRIES \
PASS_ALWAYS_WARN \
CHFN_AUTH \
- ENCRYPT_METHOD \
ENVIRON_FILE
do
- sed -i "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \
+ sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \
"$DESTDIR/etc/login.defs"
done
+# ENCRYPT_METHOD is handled specially with PAM, it will use the default as
+# provided in login.defs, but it may be overridden in the pam.d config.
+# We do not currently override this though, and it's better to guard oursleves
+# against accidentally reducing password security by forgetting to include the
+# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured
+# here, rather than in PAM.
+- |
+ if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then
+ sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs"
+ else
+ echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs"
+ fi