User Identity Authentication
OSs usually use passwords to authenticate users. After a user's password is set, it needs to be encrypted for storage. Generally, a hash algorithm is used to encrypt the password. openEuler provides the following user password management components that support the SM3 hash algorithm: Pluggable Authentication Module (PAM), passwd, shadow, and libuser.
Using PAM to Encrypt User Passwords
Overview
PAM is an authentication mechanism for upper-layer applications. PAM released with openEuler supports user password encryption using SM3.
Prerequisites
PAM 1.5.2-2 or later. You can run the following command to query the PAM version:
$ rpm -qa pam pam-1.5.2-2.oe2209.x86_64
libxcrypt 4.4.26-2 or later. You can run the following command to query the libxcrypt version:
$ rpm -qa libxcrypt pam-4.4.26-2.oe2209.x86_64
How to Use
Open the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, locate the line starting with password sufficient pam_unix.so, and change the algorithm field in the line to sm3.
$ cat /etc/pam.d/password-auth ...... password sufficient pam_unix.so sm3 shadow nullok try_first_pass use_authtok ...... $ cat /etc/pam.d/system-auth ...... password sufficient pam_unix.so sm3 shadow nullok try_first_pass use_authtok ......
After the configuration is modified, the password changed by running the
passwd
command or the password created by a new user is encrypted using SM3. The encryption result starts with sm3 and is stored in /etc/shadow.$ passwd testuser Changing password for user testuser. New password: Retype new password: passwd: all authentication tokens updated successfully. $ cat /etc/shadow | grep testuser testuser:$sm3$wnY86eyUlB5946gU$99LlMr0ddeZNDqnB2KRxn9f30SFCCvMv1WN1cFdsKJ2:19219:0:90:7:35::
Notes
- By default, PAM uses the SHA512 algorithm. If PAM settings have been modified to use the SM3 algorithm, the existing user passwords are not affected. The SM3 algorithm takes effect only for the newly changed passwords.
- If PAM and libxcrypt need to be downgraded to non-SM versions and the existing user passwords are encrypted using the SM3 algorithm, change the algorithm to a non-SM algorithm, change the user passwords, and downgrade the software to a non-SM version. Otherwise, those users cannot log in to the system.
Using Shadow to Encrypt User Passwords
Overview
Shadow is a common user management component in Linux. It provides commands such as chpasswd
, chgpasswd
, and newusers
. Shadow released with openEuler supports the SM3 algorithm for user management. By default, Shadow uses the PAM authentication mechanism. Therefore, the SM3 algorithm supported by Shadow takes effect only for the chpasswd
and chgpasswd
commands.
Prerequisites
Shadow 4.9-4 or later. You can run the following command to query the shadow version:
$ rpm -qa shadow
shadow-4.9-4.oe2209.x86_64
How to Use
By default,
chpasswd
uses the PAM authentication mechanism. Use-c
to specify the SM3 algorithm. The encryption result starts with sm3 and is stored in /etc/shadow.$ echo testuser:testPassword |chpasswd -c SM3 $ cat /etc/shadow | grep testuser testuser:$sm3$moojQQeBfdGOrL14$NqjckLHlk3ICs1cx.0rKZwRHafjVlqksdSJqfx9eYh6:19220:0:99999:7:::
By default,
chgpasswd
uses the PAM authentication mechanism. Use-c
to specify the SM3 algorithm. The encryption result starts with sm3 and is stored in /etc/gshadow.$ echo testGroup:testPassword |chgpasswd -c SM3 $ cat /etc/gshadow | grep testGroup testGroup:$sm3$S3h3X6U6KsXg2Gkc$LFCAnKbi6JItarQz4Y/Aq9/hEbEMQXq9nQ4rY1j9BY9::
Notes
By default, shadow uses the PAM authentication mechanism. If -c
is used to specify an encryption algorithm in related commands, the PAM mechanism is no longer used.
Using libuser to Encrypt User Passwords
Overview
The libuser library implements a standardized interface for operating and managing users and groups. It is encapsulated to provide a command line interface (CLI) and a Python interface. The library can encrypt user passwords using algorithms such as DES, MD5, Blowfish, SHA256, and SHA512. libuser released with openEuler supports the SM3 algorithm.
Prerequisites
libuser 0.63-3 or later. You can run the following command to query the libuser version:
$ rpm -qa libuser
libuser-0.63-3.oe2209.x86_64
How to Use
Configure crypt_style=sm3 in the [defaults] section in /etc/libuser.conf.
$ cat /etc/libuser.conf ...... [defaults] crypt_style = sm3 ......
When you run the
lusermod
,lpasswd
, orluseradd
command to set a user password, the default password encryption algorithm is SM3. The encryption result starts with sm3 and is stored in /etc/shadow.$ luseradd testuser -P Test@123 $ cat /etc/shadow | grep testuser testuser:$sm3$1IJtoN6zlBDCiPKC$5oxscBTgiquPAEmZWGNDVqTPrboHJw3fFSohjF6sONB:18862:0:90:7:35::