Leon Fauster
2021-Apr-21 20:24 UTC
[CentOS] password algorithm with authconfig vs authselect
In the old days I could do
# authconfig --passalgo=sha256 --update
With EL8 comes authselect now (replacement of authconfig).
authselect --passalgo=sha512 --update does not work and
seems to be unsupported.
# grep -R passalgo /usr/lib/python3.6/site-packages/authselect/
/usr/lib/python3.6/site-packages/authselect/authcompat_Options.py:
Option.UnsupportedValued ("passalgo",
_("<descrypt|bigcrypt|md5|sha256|sha512>")),
How does the new "way" looks like (>=EL8), to switch the password
algorithm?
Any hints would be great ...
--
Leon
Chris Adams
2021-Apr-21 20:56 UTC
[CentOS] password algorithm with authconfig vs authselect
Once upon a time, Leon Fauster <leonfauster at googlemail.com> said:> How does the new "way" looks like (>=EL8), to switch the password > algorithm?It looks like authselect doesn't support that. While authconfig tried to be a super-multi-tool that knew how to configure all the things, I think it got to a point where it was too difficult to maintain (keeping track of which options were required, conflicted with each other, etc.). So authselect instead ships a pre-set group of config files that have been tested, with some options in them. Right now, the password algorithm is always sha512. I think that could be turned into what authselect calls a "feature", but I'm not sure (that'd be a good request for the project, using their project page at https://github.com/authselect/authselect). It looks like features might support only enable/disable, not custom string values. The "officially correct" way to do that today seems to be to create a custom profile (which can be based on an existing profile), change the values, then apply the custom profile. This seems like a lot to just set the algorithm, but I'm guessing that at this point, there aren't many requests to do that (so it isn't a well-supported thing to change). It looks like something like this might do it: authselect create-profile sha256 --base-on=sssd sed -i 's/sha512/sha256/g' /etc/authselect/custom/sha256/* authselect select custom/sha256 -- Chris Adams <linux at cmadams.net>