Password Algorithm With Authconfig Vs Authselect

2 thoughts on - Password Algorithm With Authconfig Vs Authselect

Once upon a time, Leon Fauster said:

It looks like authselect doesn’t support that.

While authconfig tried to be a super-multi-tool that knew how to configure all the things, I think it got to a point where it was too difficult to maintain (keeping track of which options were required, conflicted with each other, etc.). So authselect instead ships a pre-set group of config files that have been tested, with some options in them.

Right now, the password algorithm is always sha512. I think that could be turned into what authselect calls a “feature”, but I’m not sure
(that’d be a good request for the project, using their project page at https://github.com/authselect/authselect). It looks like features might support only enable/disable, not custom string values.

The “officially correct” way to do that today seems to be to create a custom profile (which can be based on an existing profile), change the values, then apply the custom profile. This seems like a lot to just set the algorithm, but I’m guessing that at this point, there aren’t many requests to do that (so it isn’t a well-supported thing to change).

It looks like something like this might do it:

authselect create-profile sha256 –base-on=sssd
sed -i ‘s/sha512/sha256/g’ /etc/authselect/custom/sha256/*
authselect select custom/sha256

Chris, this seems to be a very reasonable approach! Nevertheless I
noticed while testing that these config files also need to be managed

# grep 512 /etc/libuser.conf /etc/login.defs
/etc/libuser.conf:crypt_style = sha512
/etc/login.defs:ENCRYPT_METHOD SHA512

At least authselect’s profile mechanism is a good starting point to adapt my workflow.

Thanks!
Leon

Chris Adams says:

April 21, 2021 at 3:56 pm

Once upon a time, Leon Fauster said:

It looks like authselect doesn’t support that.

While authconfig tried to be a super-multi-tool that knew how to configure all the things, I think it got to a point where it was too difficult to maintain (keeping track of which options were required, conflicted with each other, etc.). So authselect instead ships a pre-set group of config files that have been tested, with some options in them.

Right now, the password algorithm is always sha512. I think that could be turned into what authselect calls a “feature”, but I’m not sure
(that’d be a good request for the project, using their project page at https://github.com/authselect/authselect). It looks like features might support only enable/disable, not custom string values.

The “officially correct” way to do that today seems to be to create a custom profile (which can be based on an existing profile), change the values, then apply the custom profile. This seems like a lot to just set the algorithm, but I’m guessing that at this point, there aren’t many requests to do that (so it isn’t a well-supported thing to change).

It looks like something like this might do it:

authselect create-profile sha256 –base-on=sssd
sed -i ‘s/sha512/sha256/g’ /etc/authselect/custom/sha256/*
authselect select custom/sha256
Johnny Hughes says:

April 21, 2021 at 4:22 pm

Chris, this seems to be a very reasonable approach! Nevertheless I
noticed while testing that these config files also need to be managed

# grep 512 /etc/libuser.conf /etc/login.defs
/etc/libuser.conf:crypt_style = sha512
/etc/login.defs:ENCRYPT_METHOD SHA512

At least authselect’s profile mechanism is a good starting point to adapt my workflow.

Thanks!
Leon

Password Algorithm With Authconfig Vs Authselect

2 thoughts on - Password Algorithm With Authconfig Vs Authselect

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta