passwd
Command as a FIPS 140-2 Consumer
The passwd
command is a consumer of the userland Cryptographic Framework. Two configuration files, /etc/security/crypt.conf
and /etc/security/policy.conf
, determine which password hash the system uses.
The passwd
command calls the crypt function by using the PAM modules pam_authtok_store.so.1
and pam_unix_auth.so.1
. The crypt function dynamically loads plugins from the message digest library, libmd, based on entries in the crypt.conf
file. Available plugins include SHA256
, SHA512
, and MD5
. The policy.conf
file lists the plugins that are allowed. By default, the policy.conf
file does not allow the use of MD5
.
Note:
The cryptographic password hash policy in the/etc/security/policy.conf
file promotes interoperability with systems that use non-FIPS 140-2 hashes. To promote FIPS 140-2 security, remove any non-FIPS 140-2 hashes from the CRYPT_ALGORITHMS_ALLOW
entry in the policy.conf
file.
See also:
-
crypt
(3C) andlibmd
(3LIB) man pages -
crypt.conf
(5) andpolicy.conf
(5) man pages