Skip to content

5.4.4 Ensure password hashing algorithm is up to date with the latest standards

Audit#

PAM

No hashing algorithm should be configured in /etc/pam.d/common-password.

Run the following command: 

# grep -v ^# /etc/pam.d/common-password | grep -E "(yescrypt|md5|bigcrypt|sha256|sha512|blowfish)"

Verify that there is no output.

If there is a business requirement to configure the hashing algorithm in PAM, ensure that the same algorithm is configured in /etc/login.defs.

Login definitions

Run the following command: 

# grep -i "^\s*ENCRYPT_METHOD\s*yescrypt\s*$" /etc/login.defs

Verify the output matches: 

ENCRYPT_METHOD yescrypt

Remediation#

NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files.

PAM

Edit the /etc/pam.d/common-password file and ensure that no hashing algorithm option for pam_unix.so is set: 

password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5

Login definitions

Edit /etc/login.defs and ensure that ENCRYPT_METHOD is set to yescrypt