diff options
author | Richard Maw <richard.maw@codethink.co.uk> | 2015-04-14 16:21:16 +0100 |
---|---|---|
committer | Baserock Gerrit <gerrit@baserock.org> | 2015-05-05 13:51:32 +0000 |
commit | 93db3685bce720ca523ba5be8699e7d18f33806a (patch) | |
tree | 4af9df386e891cbe83d6f64b71fbd445d72082d5 /strata | |
parent | 62d1a56a6629c287a1fe88040a893f401276b86c (diff) | |
download | definitions-93db3685bce720ca523ba5be8699e7d18f33806a.tar.gz |
shadow/PAM: Use SHA512 rather than DES for password hashes
DES truncates passwords, so is an insecure default.
Change-Id: I3fc7fe55a855ff762e51ef9d71fd6741b1cbc428
Diffstat (limited to 'strata')
-rw-r--r-- | strata/core/shadow.morph | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph index d709ddcb..34ec6197 100644 --- a/strata/core/shadow.morph +++ b/strata/core/shadow.morph @@ -31,9 +31,20 @@ post-install-commands: PASS_CHANGE_TRIES \ PASS_ALWAYS_WARN \ CHFN_AUTH \ - ENCRYPT_METHOD \ ENVIRON_FILE do - sed -i "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ + sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ "$DESTDIR/etc/login.defs" done +# ENCRYPT_METHOD is handled specially with PAM, it will use the default as +# provided in login.defs, but it may be overridden in the pam.d config. +# We do not currently override this though, and it's better to guard oursleves +# against accidentally reducing password security by forgetting to include the +# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured +# here, rather than in PAM. +- | + if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then + sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs" + else + echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs" + fi |