Use PAM to increase SHA-512 password rounds
Originally created by @cypherpunks on #15053 (Redmine)
The pam_unix
module is responsible for managing Linux’s shadow
passwords. By default, it does a single, salted SHA-512 hash on the
administrator password, when one is set. It is well known that passwords
should never be stored using a single cryptographic hash because of its
speed. The recommended solution is to use a KDF like bcrypt or PBKDF2.
However, glibc’s crypt(3)
does not support either of these. Linux PAM
gets around this by using multiple rounds of a hash to strengthen the
password, but it is not enabled by default. It can be done by modifying
the /etc/pam.d/system-auth
file. For example:
--- /etc/pam.d/system-auth
+++ /etc/pam.d/system-auth
@@ -7 +7 @@
-password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow rounds=1000000
Adding the rounds
argument increases the number of hash iterations
used by default when hashing a password. This results in the shadow
file containing an extra field specifying the number of rounds. This is
completely transparent to the user, and greatly increases the work
factor required to crack the password. Tails should utilize this to
further protect users against an adversary able to obtain this file,
whether through physical access or through LPE.
The number of rounds determines how long it will take to generate the password hash. On a single Haswell i7 mobile core @ 2.80GHz, it takes slightly over half a second to perform one million SHA-512 rounds using PAM. Older processors may take longer. The number of rounds can be reduced if this proves to be an issue.