Skip to content

5.4.5 Ensure all current passwords uses the configured hashing algorithm

title: 5.4.5 Ensure all current passwords uses the configured hashing algorithm tags: - Level 1 - Workstation - Server - Access, Authentication and Authorization - Configure PAM - Manual - IG2 - IG3 - 3.11 Encrypt Sensitive Data at Rest - T1003 - T1003.008 - T1110 - T1110.002 - TA0006 - MA1041

Audit#

Run the following script to get a list of users that are not using the currently configured hashing algorithm: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#!/usr/bin/env bash
{
 declare -A HASH_MAP=( ["y"]="yescrypt" ["1"]="md5" ["2"]="blowfish" ["5"]="SHA256" ["6"]="SHA512" ["g"]="gost-yescrypt" )
 CONFIGURED_HASH=$(sed -n "s/^\s*ENCRYPT_METHOD\s*\(.*\)\s*$/\1/p" /etc/login.defs)
 for MY_USER in $(sed -n "s/^\(.*\):\\$.*/\1/p" /etc/shadow)
 do
 CURRENT_HASH=$(sed -n "s/${MY_USER}:\\$\(.\).*/\1/p" /etc/shadow)
 if [[ "${HASH_MAP["${CURRENT_HASH}"]^^}" != "${CONFIGURED_HASH^^}" ]]; then
 echo "The password for '${MY_USER}' is using '${HASH_MAP["${CURRENT_HASH}"]}' instead of the configured '${CONFIGURED_HASH}'."
 fi
 done
}

Nothing should be returned.

Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems.

Remediation#

If the administrator wish to force an immediate change on all users as per the output of the audit, execute: 

1
2
3
4
5
#!/usr/bin/env bash
{
 UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
 awk -F: -v UID_MIN="${UID_MIN}" '( $3 >= UID_MIN && $1 != "nfsnobody" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0
}

NOTE: This could cause significant temporary CPU load on the system if a large number of users reset their passwords at the same time.