«
»

Ubuntu: change default encryption algorithm

While fighting with DB2 denying logins I had to change the default hash algorithm used to store passwords in /etc/shadow.

As far as I know (and as grep -i -r "sha512" /etc/* tells me :-) ), there are two files that carry this information. Namely /etc/pam.d/common-password and /etc/login.defs.

To change the algorithm from sha512 (which shifts as the default in the new Ubuntu releases) change this:

/etc/pam.d/common-password

password [success=1 default=ignore] pam_unix.so obscure sha512

to

password [success=1 default=ignore] pam_unix.so obscure md5

/etc/login.defs

ENCRYPT_METHOD SHA512

to

ENCRYPT_METHOD MD5

Tags: , ,

This entry was posted on Sunday, July 12th, 2009 at 1.58 and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Responses to “Ubuntu: change default encryption algorithm”

  1. ainande says:
    13. 8. 2010 at 13.00

    Hi there

    Thanks for this entry, it is well explained and understandable.
    Yet I still got a question (which hasn't really something to do with the algorithm, but anyway you may have an idea)..
    I'm wondering whether it's possible to reset the passphrase – I may have changed it or just forgot it, and now I wonder if I could maybe encrypt a string (new password) with the right algorithm and then replace the hash of the old password in a specific file (I still can start up my system n all that..)

    Greets

  2. honza says:
    13. 8. 2010 at 14.06

    Hi ainande,

    use
    echo username:password | chpasswd -S -c MD5
    If supports both MD5 and SHA512 (besides others). Salt is generated randomly.

    To generate MD5 password only (without having to give the username) you can use
    openssl passwd –1 -salt xyz
    In this case, you choose the salt.

Leave a Reply