Hello,
please add the following release note to the Security section:
(`...` stands for the appropriate markup)
Password hashing using the SHA-256 and SHA-512 hash functions is now
supported.
To switch to SHA-256 or SHA-512 on an installed system, use `authconfig
--passalgo=sha256 --update` or `authconfig --passalgo=sha512 --update`.
You can also configure the hashing method in a GUI using
`authconfig-gtk`. Existing user accounts won't be affected until their
passwords are changed.
SHA-512 is used by default on newly installed systems. Other algorithms
can be configured only for kickstart installations, by using the
`--passalgo` or `--enablemd5` options of the kickstart command `auth`.
If your installation does not use kickstart, use `authconfig` as
described above, then change the `root` password and passwords of any
other users created after installation.
New options were added to `libuser`, `pam` and `shadow-utils` to support
these password hashing algorithms. `authconfig` configures all these
options automatically, so it is usually not necessary to modify them
manually.
* New values of the `crypt_style` option and new options
`hash_rounds_min` and `hash_rounds_max` are now supported in the
`[defaults]` section of `/etc/libuser.conf`. See `libuser.conf(5)`
for more details.
* New options `sha256`, `sha512` and `rounds` are now supported by the
`pam_unix` PAM module. See `pam_unix(8)`for more details.
* New options `ENCRYPT_METHOD`, `SHA_CRYPT_MIN_ROUNDS` and
`SHA_CRYPT_MAX_ROUNDS` are now supported in `/etc/login.defs`. See
`login.defs(5)` for more details.
Corresponding options were added to `chpasswd(8)` and `newusers(8)`.
Thank you,
Mirek
--
Fedora-relnotes-content mailing list
Fedora-relnotes-content@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-relnotes-content
