Use SHA-2 by default instead of MD5 for password encrypting

William Immendorf will.immendorf at gmail.com
Tue Dec 28 22:44:19 PST 2010


On Wed, Dec 29, 2010 at 12:25 AM, Bruce Dubbs <bruce.dubbs at gmail.com> wrote:
> You are probably right about shadow, but the main reason for the
> checksums for package downloads is to provide data integrity, not
> security.  The better way for ensuring a package has not been
> intentionally modified is to use digital signatures.
>
If you just want to use MD5 for just checking to see if a package
isn't corrupted or modified, then I'm fine with that use. For the
others, I would use SHA-2.
> Although PAM is in BLFS, I'm not aware of any changes to that package
> that would be needed to utilize a different login encryption method.
> For changing a password, I think that PAM uses whatever method currently
> is in use.   Let me add a caveat though.  I haven't used PAM in several
> years.  I think it just gets in the way.
Well, I think it uses whatever encryption option specified as an
argument to pam_unix.so. But, then again, the configuration that BLFS
uses is arleady using SHA-512 encryption.

The only thing left is to change the sed in the LFS book, and that's it.

-- 
William Immendorf
The ultimate in free computing.
Messages in plain text, please, no HTML.
GPG key ID: 1697BE98
If it's not signed, it's not from me.

--------------

"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman



More information about the lfs-dev mailing list