리눅스 스터디

: 5.0버전, 5.1버전에서는 안됩니다
authconfig 명령어에 패스워드 알고리즘 변경하는
옵션이 없기때문입니다
이것은 authconfig 패키지를 5.2껄로 업데이트 해주면
되는데 의존성 패키지때문에 패키지 하나만 업데이트
할 수는 없습니다

<authconfig 패키지 패치시 필요한 패키지 목록>
authconfig-5.3.21-3.el5.x86_64.rpm
authconfig-gtk-5.3.21-3.el5.x86_64.rpm
glibc-2.5-24.i686.rpm
glibc-2.5-24.x86_64.rpm
glibc-common-2.5-24.x86_64.rpm
glibc-devel-2.5-24.i386.rpm
glibc-devel-2.5-24.x86_64.rpm
glibc-headers-2.5-24.x86_64.rpm
pam-0.99.6.2-3.27.el5.i386.rpm
pam-0.99.6.2-3.27.el5.x86_64.rpm
pam-devel-0.99.6.2-3.27.el5.x86_64.rpm
shadow-utils-4.0.17-13.el5.x86_64.rpm

아래 패스워드알고리즘 변경 방법 이후에
테스트 로그가 있으니 참고바랍니다

패스워드 알고리즘 변경 후
/etc/pam.d/system-auth 내에 기존 보안조치 내용의 재설정이 필요합니다.

1. 패스워드 알고리즘 확인 및 변경
[확인]
# authconfig --test | grep hashing
password hashing algorithm is sha512

# cat /etc/sysconfig/authconfig | grep ALGORITHM
PASSWDALGORITHM=sha512

[변경]
# authconfig --passalgo=sha512 --update
RHEL5.2 버전 이후로는 위 방법으로 테스트 시 정상 동작 확인

2. RHEL 5.0 초기 버전 시
</etc/pam.d/system-auth>
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

</etc/login.defs>
cat /etc/login.defs  | grep ENCRY
ENCRYPT_METHOD SHA256

</etc/libuser.conf>
# cat /etc/libuser.conf | grep crypt_style
crypt_style = sha256

[shadow 파일 내 인자 값]
$1 = MD5 hashing algorithm.
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm

(예시)
suser:$5$p.WE79DA$1i6qZM01up1Kembati3e04oqGa1yhy4UpCoE3oGtbMC:16722:0:99999:7:::

[변경 시 수정되는 파일 목록]
/etc/pam.d/system-auth
/etc/pam.d/password-auth
/etc/login.defs
/etc/libuser.conf
/etc/sysconfig/authconfig

</etc/pam.d/system-auth>
# cat /etc/pam.d/system-auth
...(skip)...
auth        required      pam_env.so
auth        required      pam_tally.so onerr=fail deny=10 unlock_time=3600 magic_root
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_tally.so
...(skip)...

============================================
<테스트 로그>
============================================
[skroot@rhel5 patch]$ ll
total 35544
-rw-r--r-- 1 skroot skroot   463549  4월  4  2008 authconfig-5.3.21-3.el5.x86_64.rpm
-rw-r--r-- 1 skroot skroot    46977  4월  4  2008 authconfig-gtk-5.3.21-3.el5.x86_64.rpm
-rw-r--r-- 1 skroot skroot  5415445  4월 26  2008 glibc-2.5-24.i686.rpm
-rw-r--r-- 1 skroot skroot  4906472  4월 26  2008 glibc-2.5-24.x86_64.rpm
-rw-r--r-- 1 skroot skroot 16909197  4월 26  2008 glibc-common-2.5-24.x86_64.rpm
-rw-r--r-- 1 skroot skroot  2105018  4월 26  2008 glibc-devel-2.5-24.i386.rpm
-rw-r--r-- 1 skroot skroot  2535427  4월 26  2008 glibc-devel-2.5-24.x86_64.rpm
-rw-r--r-- 1 skroot skroot   615626  4월 26  2008 glibc-headers-2.5-24.x86_64.rpm
-rw-r--r-- 1 skroot skroot   996610  2월 14  2008 pam-0.99.6.2-3.27.el5.i386.rpm
-rw-r--r-- 1 skroot skroot   993065  2월 14  2008 pam-0.99.6.2-3.27.el5.x86_64.rpm
-rw-r--r-- 1 skroot skroot   192964  2월 14  2008 pam-devel-0.99.6.2-3.27.el5.x86_64.rpm
-rw-r--r-- 1 skroot skroot  1103288  1월 19  2008 shadow-utils-4.0.17-13.el5.x86_64.rpm
[skroot@rhel5 patch]$ sudo rpm -Uvh ./*.rpm
warning: ./authconfig-5.3.21-3.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ########################################### [100%]
   1:glibc-common           ########################################### [  8%]
   2:glibc                  ########################################### [ 17%]
   3:glibc                  warning: /etc/ld.so.conf created as /etc/ld.so.conf.rpmnew
warning: /etc/nsswitch.conf created as /etc/nsswitch.conf.rpmnew
########################################### [ 25%]
   4:pam                    warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
########################################### [ 33%]
   5:glibc-headers          ########################################### [ 42%]
   6:pam                    warning: /etc/pam.d/config-util created as /etc/pam.d/config-util.rpmnew
warning: /etc/pam.d/other created as /etc/pam.d/other.rpmnew
warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
warning: /etc/security/access.conf created as /etc/security/access.conf.rpmnew
warning: /etc/security/chroot.conf created as /etc/security/chroot.conf.rpmnew
warning: /etc/security/console.handlers created as /etc/security/console.handlers.rpmnew
warning: /etc/security/group.conf created as /etc/security/group.conf.rpmnew
warning: /etc/security/limits.conf created as /etc/security/limits.conf.rpmnew
warning: /etc/security/namespace.conf created as /etc/security/namespace.conf.rpmnew
warning: /etc/security/namespace.init created as /etc/security/namespace.init.rpmnew
warning: /etc/security/opasswd created as /etc/security/opasswd.rpmnew
warning: /etc/security/pam_env.conf created as /etc/security/pam_env.conf.rpmnew
warning: /etc/security/time.conf created as /etc/security/time.conf.rpmnew
########################################### [ 50%]
   7:shadow-utils           ########################################### [ 58%]
   8:authconfig             ########################################### [ 67%]
   9:authconfig-gtk         ########################################### [ 75%]
  10:glibc-devel            ########################################### [ 83%]
  11:glibc-devel            ########################################### [ 92%]
  12:pam-devel              ########################################### [100%]
[skroot@rhel5 patch]$ sudo authconfig --test | grep hash
 password hashing algorithm is md5
[skroot@rhel5 authconfig_patch]$ sudo authconfig --passalgo=sha256 --update
[skroot@rhel5 authconfig_patch]$ sudo authconfig --test | grep hash
 password hashing algorithm is sha256
[skroot@rhel5 ~]$ sudo cat /etc/shadow | tail 
...(skip)...
skroot:$1$SFq0aHFH$O1pmlitoqMweoT4.My0sx0:18228:0:99999:7:::
...(skip)...
[skroot@rhel5 ~]$ passwd
Changing password for user skroot.
Changing password for skroot
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
[skroot@rhel5 ~]$ sudo cat /etc/shadow | tail 
...(skip)...
skroot:$5$VeJqH.cH$5Ua1byXXYNTJ8Osi.FJLyp9KnN2pYxJ99vW5govqMIA:18228:0:99999:7:::
...(skip)...
============================================