NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
PAM - Upgrading to SHA512 password hashes
Hi everyone, I'm reviewing the security of my environment and I've noticed the ReadyNAS passwords are still stored as MD5 hashes in /etc/shadow. Even more puzzling is a maximum password size set to...
Solved
Using SHA512 is tricky because it involves upgrading some critical parts of the system. Thankfully we can use bcrypt, a strong hash based on blowfish (stronger than SHA512 if your password/passphrase is shorter than 52 characters).
Here's the beginner-friendly step by step guide:
- First we'll create a temporary user to test our changes, in case something goes wrong
#adduser foo
answer Y everywhere, give a temporary password such as Password1234
- Make sure the user has been added and note the hash
#cat /etc/shadow
This must look like this:
user:hash (1 for MD5) :salt:digest
foo:$1$HwBrp9DK$jXrwgOofbIHx3dMG/mAqD0:
- Okay, moving on. Enable the Etch repository
#nano /etc/apt/sources.list
uncomment the following line: #deb http://archive.debian.org/debian etch main
-Sync the local package DB with the repository
#apt-get update
-Install libpam-unix2, which provides the bcrypt password hashing
#apt-get install libpam-unix2
After this operation, 307kB of additional disk space will be used.
Do you want to continue [Y/n]? y
-Tell PAM to use libpam-unix2 for authentication. Let's do it everywhere with one command line:
#perl -pi -w -e 's/pam_unix.so/pam_unix2.so/g;' /etc/pam.d/*
-Some more editing...
#nano /etc/pam.d/common-auth
change nullok_secure to nullok
#nano /etc/pam.d/common-password
remove "max=8" and change md5 to blowfish:
"password required pam_unix2.so nullok obscure min=4 blowfish"
Do the same for /etc/pam.d/password (that's RAIDiator specific)
Optionally, you can also remove the "max=8" from /etc/pam.d/login
-Let's test the changes
#passwd foo
Password1234
Password1234
#cat /etc/shadow | grep foo
It should now use bcrypt (2a):
foo:$2a$05$xenvd3mc6Lkt7/SGMfuz6.hW9Lg9IOkMvvplVWzuL5bfUH7jHfND2:
(53 characters hash composed of a 22 chars salt and a 31 chars blowfish encrypted output)
- We're never too sure, let's make sure foo can login
#logout
$ssh <NAS IP> -l foo
Enter password:
- If everything's okay, you can now change every remaining password so they're all hashed with bcrypt. Check the result in /etc/shadow.
Upgrading your passwords from MD5 is very recommended if you host sensitive data.
Using SHA512 is tricky because it involves upgrading some critical parts of the system. Thankfully we can use bcrypt, a strong hash based on blowfish (stronger than SHA512 if your password/passphrase is shorter than 52 characters).
Here's the beginner-friendly step by step guide:
- First we'll create a temporary user to test our changes, in case something goes wrong
#adduser foo
answer Y everywhere, give a temporary password such as Password1234
- Make sure the user has been added and note the hash
#cat /etc/shadow
This must look like this:
user:hash (1 for MD5) :salt:digest
foo:$1$HwBrp9DK$jXrwgOofbIHx3dMG/mAqD0:
- Okay, moving on. Enable the Etch repository
#nano /etc/apt/sources.list
uncomment the following line: #deb http://archive.debian.org/debian etch main
-Sync the local package DB with the repository
#apt-get update
-Install libpam-unix2, which provides the bcrypt password hashing
#apt-get install libpam-unix2
After this operation, 307kB of additional disk space will be used.
Do you want to continue [Y/n]? y
-Tell PAM to use libpam-unix2 for authentication. Let's do it everywhere with one command line:
#perl -pi -w -e 's/pam_unix.so/pam_unix2.so/g;' /etc/pam.d/*
-Some more editing...
#nano /etc/pam.d/common-auth
change nullok_secure to nullok
#nano /etc/pam.d/common-password
remove "max=8" and change md5 to blowfish:
"password required pam_unix2.so nullok obscure min=4 blowfish"
Do the same for /etc/pam.d/password (that's RAIDiator specific)
Optionally, you can also remove the "max=8" from /etc/pam.d/login
-Let's test the changes
#passwd foo
Password1234
Password1234
#cat /etc/shadow | grep foo
It should now use bcrypt (2a):
foo:$2a$05$xenvd3mc6Lkt7/SGMfuz6.hW9Lg9IOkMvvplVWzuL5bfUH7jHfND2:
(53 characters hash composed of a 22 chars salt and a 31 chars blowfish encrypted output)
- We're never too sure, let's make sure foo can login
#logout
$ssh <NAS IP> -l foo
Enter password:
- If everything's okay, you can now change every remaining password so they're all hashed with bcrypt. Check the result in /etc/shadow.
Upgrading your passwords from MD5 is very recommended if you host sensitive data.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
