Friday, March 1, 2013

How to set up SHA-256 or SHA-512 hashing

These are my notes on how to setup better password hashing on your Solaris 10 servers. To make your servers more secure, you will want to use SHA-256 or SHA-512 password hashing. Many old servers use a weaker hash by default. In the example below user1 is using the MD5 hash and user2 is using the SHA-512 hash. As you can see, the hash for user2 is using is much longer. The fact that it is longer makes the hash more secure.

user1:$1$QNhPL6JG$fISdvRQdpXSj1seOcYoSk.
user2:$6$GptKlbR1$3Qjb5HBh.2R87N8RkvxWYnpHETXfVCeOEgQTs5EXBs6o9nb6z2tHkqalNt1H2ZI5dicCFkUnRRgWFW65CUOBF0

In /etc/security/policy.conf make sure the following setting is set.
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

In /etc/security/policy.conf change the following lines to what you see below. #CRYPT_ALGORITHMS_DEPRECATE=__UNIX__
CRYPT_DEFAULTS=6


In /etc/security/crypt.conf you should see the following lines at the end. If there not there, then you most likely don't have this patch 140905-02 installed. If you have a Oracle Support contract you can download it from My Oracle Support.
5 crypt_sha256.so.1
6 crypt_sha512.so.1


I got the info about the missing patch from a post I made at the Oracle Communities forum. Below, I have posted a link to my post.
https://communities.oracle.com/portal

To see what hash your users are using look at your /etc/shadow file. If the users hash starts with $5 or $6 than they are using SHA-256 or SHA-512. After you make the changes above the users will need to reset there password. You will need to use the -d with the passwd command to delete the users password hash. If this is not done the account will continue to use the old hash. On Linux machines you don't need to run the passwd -d command.

passwd -d user1
passwd: password information changed for user1
passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1


I hope this helps some one out.

2 comments: