I have an embedded Linux device with a fairly modern Linux kernel. However, a strange thing happened with the last update: when a password is modified with passwd for any user, the salt value in /etc/shadow is replaced with rounds=65536, so an entry will look like root:$6$rounds=65536$6mA.... I suspect PAM is doing this. Does anyone have any idea what issue with PAM could cause such behaviour?
1 Answer
Your update has probably changed the PAM configuration to harden the security of the password hashes in your shadow file. See also this hardening guide and the documentation of the crypt function:
- https://madaidans-insecurities.github.io/guides/linux-hardening.html#increase-hashing-rounds
- https://man7.org/linux/man-pages/man3/crypt.3.html
If an attacker gets access to the shadow file they can try to recover the password from the salt and hash by brute force, but this has become about 13 times harder than the default of 5000 rounds.
This information needs to be stored alongside the algorithm, salt and hash in order for the login function to know how to verify the password of this account in the future.
The number of 65536 should match the compute power of your embedded device, if it is too high it will take a long time to verify a password, if it is too low some attacker with a lot of compute power (e.g.: ASICs) could easily brute force the hash to find the password.
Update:
Since pam release 1.6.0, the SHA-512 rounds option can be configured by either editing the /etc/login.defs file and setting a value for the SHA_CRYPT_MAX_ROUNDS parameter, or editing /etc/pam.d/passwd and adding the rounds with an appropriate value. (Source: https://wiki.archlinux.org/title/SHA_hashes - they also mention 65536, but its origin is unclear, for more info see also the related concept of Password Based Key Derivation Functions: https://en.wikipedia.org/wiki/PBKDF2 )
- Note that 65536 is 2^16, although it is not clear if this is a limit or just a nice round number to pick.user10489– user104892024-10-14 22:03:31 +00:00Commented Oct 14, 2024 at 22:03
roundspart is probably added to the salt and doesn't replace it. If the default number of rounds (5,000) for SHA512-crypt is used, then there's no need for an explicitroundsparameter. However, if it's increased to 65,536 like in your case, then it's necessary to explicitly specificrounds=65536. This is not an issue at all.