Does your VPS have MD5 enabled for passwords?

We recently discovered that the way we install a VPS differs slightly from the usual CD install. This is not something we do specifically but something that can be improved on in the set-ups of CentOS5.3.

When you install from a CD it automatically enables MD5 encryption in passwords (which should be the norm), however when you install directly from base packages it does not.

This appears to be a fairly new development and we have caught it quickly thanks to some great users who have passwords longer than 8 characters.  The main side effect of having no MD5 is that you can not have a password longer than 8 characters at all, it just doesn't work.

To test your VPS and see if you have it, you can set a password with more than 8 characters, if you trim the end characters off you will still be able to login with only the first 8 characters.

There is an easy fix for this,

Edit /etc/sysconfig/authconfig

You need to have this enabled

USEMD5=yes

Next, edit this file /etc/pam.d/system-auth

Make sure it has the following line (which has md5 in that place)

password sufficient pam_unix.so md5 shadow try_first_pass use_authtok nullok

You should then reset any passwords on the box with passwd so they are now using MD5

passwd username

before

[root@hostname ~]# cat /etc/shadow
root:y.yYKjjc6dh4M:14519:0:99999:7:::

after

[root@hostname /etc/pam.d]# cat /etc/shadow
root:$1$trQ54tcS$azHBlqdd3kzNF4v8Xp3N/0:14519:0:99999:7:::

If you have any problems or concerns you should contact us on support. Just drop in a ticket and we can get things going again.

This entry was posted in Security and tagged , , , . Bookmark the permalink.

3 Responses to Does your VPS have MD5 enabled for passwords?

  1. james says:

    Thanks for the info Liz.

    Obviously this is a problem for people with passwords that are more than 8 characters in length, but is it also some kind of security risk?

    ie. if our passwords are 8 characters or less, is it still recommended to enable MD5 hashing of passwords?

    • Liz Quilty says:

      Its not a major security risk. but if somebody happens to get a shell on your machine, they can crack it a lot faster/easier if its not MD5. In an ideal world everyone would have passwords longer than 8 characters, however this doesn't happen as much as we would like.
      I would suggest that MD5 be enabled unless its absolutely going to be a pain-in-the-butt-impossible to change all users passwords.

  2. james says:

    Thanks Liz. I'll schedule a time to make these changes on all of our servers.