passwd Command as a FIPS 140-2 Consumer

The passwd command is a consumer of the userland Cryptographic Framework. Two configuration files, /etc/security/crypt.conf and /etc/security/policy.conf, determine which password hash the system uses.

The passwd command calls the crypt function by using the PAM modules pam_authtok_store.so.1 and pam_unix_auth.so.1. The crypt function dynamically loads plugins from the message digest library, libmd, based on entries in the crypt.conf file. Available plugins include SHA256, SHA512, and MD5. The policy.conf file lists the plugins that are allowed. By default, the policy.conf file does not allow the use of MD5.

Note:

The cryptographic password hash policy in the /etc/security/policy.conf file promotes interoperability with systems that use non-FIPS 140-2 hashes. To promote FIPS 140-2 security, remove any non-FIPS 140-2 hashes from the CRYPT_ALGORITHMS_ALLOW entry in the policy.conf file.

See also:

• crypt(3C) and libmd(3LIB) man pages

• crypt.conf(5) and policy.conf(5) man pages

• passwd(1) and passwd(5) man pages