5.2.3 Ensure passwords are not hashed using 'crypt'


The recommendation is to change the default password hash algorithm to ssha512 (see paragraph 5.2.1). However, changing the default algorithm away from crypt is not enough. The user must supply a new passowrd before a new hashed version of the password is stored in the shadow password file /etc/security/password.


The hash algorithm crypt is known by all *nix versions - so it has provided portability. And in the '70's processor power was weak enough that the mere 56 bits protection against brute-force attacks was reasonable to sufficient. Fifty (50) years later - this is not the case.


The audit looks for hashed passwords that are 14 (fourteen) characters long. That is the length of the crypt hash. The remediation neither changes the password nor locks the account. However, it does clear (if present) and password flags (noteably NOCHECK needs to be removed) and sets the flag ADMCHG so that the account will be required to reset their password during the next login.


Execute the following command to enable an administrative requirement to update password on next login - when current password is still hashed using the crypt algorithm.

#!/usr/bin/ksh -e
# hash_chk:5.2.12
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022

#SystemAccounts are skipped, root is treated a regular account
#pconsole is no longer a system account - being deprecated/removed
grep 'password[[:blank:]]= .............$' /etc/security/passwd |
while read pass equals cryptedhash; do
user=$(/usr/bin/grep -p $cryptedhash /etc/security/passwd |
/usr/bin/egrep -vp '${SACTS1}:$' |
/usr/bin/egrep -vp '${SACTS2}:$' |
/usr/bin/egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
print ${user}: needs to update passwd
set -x
/usr/bin/pwdadm -c ${user}
/usr/bin/pwdadm -f ADMCHG ${user}
set +x

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.4

Plugin: Unix

Control ID: ee68ebf9de686492b12f2138d505e2d10bc86f50e28610290f7a0171cf9e5803