5.3.2.4.3 Ensure pam_unix includes a strong password hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Note: These changes only apply to the local system.

Solution

Notes:

- If yescrypt becomes available in a future release, this would also be acceptable. It is highly recommended that the chosen hashing algorithm is consistent across /etc/libuser.conf /etc/login.defs /etc/pam.d/password-auth and /etc/pam.d/system-auth
- This only effects local users and passwords created after updating the files to use sha512 or yescrypt If it is determined that the password algorithm being used is not sha512 or yescrypt once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login.

Run one of the following commands to add a strong password hashing algorithm on the password stack's pam_unix.so module lines:

# pam-config -a --unix --unix-sha512

- OR -

# pam-config -a --unix --unix-yescrypt

See Also

https://workbench.cisecurity.org/benchmarks/20333

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 4db706b95c5d16b970c01c687390c206c29783de892d085ec3dd707c07ab35ec