From 93db3685bce720ca523ba5be8699e7d18f33806a Mon Sep 17 00:00:00 2001
From: Richard Maw <richard.maw@codethink.co.uk>
Date: Tue, 14 Apr 2015 16:21:16 +0100
Subject: shadow/PAM: Use SHA512 rather than DES for password hashes

DES truncates passwords, so is an insecure default.

Change-Id: I3fc7fe55a855ff762e51ef9d71fd6741b1cbc428
---
 strata/core/shadow.morph | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph
index d709ddcb..34ec6197 100644
--- a/strata/core/shadow.morph
+++ b/strata/core/shadow.morph
@@ -31,9 +31,20 @@ post-install-commands:
                 PASS_CHANGE_TRIES \
                 PASS_ALWAYS_WARN \
                 CHFN_AUTH \
-                ENCRYPT_METHOD \
                 ENVIRON_FILE
   do
-    sed -i "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \
+    sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \
         "$DESTDIR/etc/login.defs"
   done
+# ENCRYPT_METHOD is handled specially with PAM, it will use the default as
+# provided in login.defs, but it may be overridden in the pam.d config.
+# We do not currently override this though, and it's better to guard oursleves
+# against accidentally reducing password security by forgetting to include the
+# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured
+# here, rather than in PAM.
+- |
+  if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then
+      sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs"
+  else
+      echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs"
+  fi
-- 
cgit v1.2.1