On 6/28/2010 11:20 PM, Bruce Dubbs wrote: > I'm not sure I want to change it to SHA512 in the actual instruction, > but we might mention in the text that SHA256 and SHA256 are other options. > > We probably need to also mention: > > # Note: If you use PAM, it is recommended to use a value consistent with > # the PAM modules configuration.
Yeah, when I first was doing research into this, I deciphered how Fedora/Red Hat did it (even Red Hat Enterprise Linux enabled SHA512 passwords two years ago in version 5.2), and I had to chase PAM down to figure it out. It is much easier to change with just shadow. > Other opinions? I'm scouring Google for opinions as to whether or not SHA256 or SHA512 is "better", or if SHA512 is "worth it". I would guess either is an improvement over MD5 (since MD5 can, theoretically, have collisions generated for it), but it might be nice to actually have words describing the tradeoffs/value for each. I'll keep looking. The current verbiage on the shadow page actually refers to it as password encryption...these other methods (MD5 included) are actually hashes. It also might be good to use the "hash" word when describing MD5, rather than "encryption". Kevin -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
