Ubuntu: change default encryption algorithm

While fighting with DB2 denying logins I had to change the default hash algorithm used to store passwords in /etc/shadow.

As far as I know (and as grep -i -r "sha512" /etc/* tells me :-) ), there are two files that carry this information. Namely /etc/pam.d/common-password and /etc/login.defs.

To change the algorithm from sha512 (which shifts as the default in the new Ubuntu releases) change this:

/etc/pam.d/common-password

password [success=1 default=ignore] pam_unix.so obscure sha512

to

password [success=1 default=ignore] pam_unix.so obscure md5

/etc/login.defs

ENCRYPT_METHOD SHA512

to

ENCRYPT_METHOD MD5

Tags: , ,

2 Responses to “Ubuntu: change default encryption algorithm”

  1. ainande says:

    Hi there

    Thanks for this entry, it is well explained and understandable.
    Yet I still got a question (which hasn't really something to do with the algorithm, but anyway you may have an idea)..
    I'm wondering whether it's possible to reset the passphrase – I may have changed it or just forgot it, and now I wonder if I could maybe encrypt a string (new password) with the right algorithm and then replace the hash of the old password in a specific file (I still can start up my system n all that..)

    Greets

  2. honza says:

    Hi ainande,

    use
    echo username:password | chpasswd -S -c MD5
    If supports both MD5 and SHA512 (besides others). Salt is generated randomly.

    To generate MD5 password only (without having to give the username) you can use
    openssl passwd –1 -salt xyz
    In this case, you choose the salt.

Leave a Reply