Digital Consumption - Blowfish shadow files on Debian

Charles Darke | 8 March 2008

Firstly need to install libpam-unix2:

aptitude install libpam-unix2

Replace the occurrences of pam_unix.so with pam_unix2.so

sed -i 's/pam_unix.so/pam_unix2.so/g' /etc/pam.d/*

In /etc/pam.d/common-password, change md5 to blowfish.

sed -i 's/md5/blowfish/g' /etc/pam.d/*

New or changed passwords will now be encrypted with Blowfish.

If you want to check if everything worked, look at /etc/shadow and see what the hash looks like:

starts with alphanumeric characters and is 13 characters long - password is encrypted with DES
starts with $1$ - password is hashed with MD5
starts with $2$ - password is encrypted with blowfish

Security, Debian, Blowfish, PAM.

Add comment!

New topic

Comments (2)

The nullok_secure option was added to support passwordless pam_unix logins only from ttys listed in /etc/securetty. It was added because nullok was not considered an appropriate option to configure for all services, but there was a need to support passwordless root logins on tty2 on newly installed Debian systems when base-config has not yet been run to configure a root password.

nullok_secure was/is a Debian-specific patch and has not yet been implemented in pam_unix2.so

Written by Charles Darke at 2:45am, 25 May 2008.

See also issue with gnome-screensaver:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295526

Hopefully, now fixed in unstable.

Written by Charles Darke at 2:53am, 25 May 2008.

About | Forum | Feeds | Tags | Contact

Comments (2)

Mini-log