On 21.04.21 22:56, Chris Adams wrote: > Once upon a time, Leon Fauster <leonfauster at googlemail.com> said: >> How does the new "way" looks like (>=EL8), to switch the password >> algorithm? > > It looks like authselect doesn't support that. > > While authconfig tried to be a super-multi-tool that knew how to > configure all the things, I think it got to a point where it was too > difficult to maintain (keeping track of which options were required, > conflicted with each other, etc.). So authselect instead ships a > pre-set group of config files that have been tested, with some options > in them. > > Right now, the password algorithm is always sha512. I think that could > be turned into what authselect calls a "feature", but I'm not sure > (that'd be a good request for the project, using their project page at > https://github.com/authselect/authselect). It looks like features might > support only enable/disable, not custom string values. > > The "officially correct" way to do that today seems to be to create a > custom profile (which can be based on an existing profile), change the > values, then apply the custom profile. This seems like a lot to just > set the algorithm, but I'm guessing that at this point, there aren't > many requests to do that (so it isn't a well-supported thing to change). > > It looks like something like this might do it: > > authselect create-profile sha256 --base-on=sssd > sed -i 's/sha512/sha256/g' /etc/authselect/custom/sha256/* > authselect select custom/sha256 Chris, this seems to be a very reasonable approach! Nevertheless I noticed while testing that these config files also need to be managed # grep 512 /etc/libuser.conf /etc/login.defs /etc/libuser.conf:crypt_style = sha512 /etc/login.defs:ENCRYPT_METHOD SHA512 At least authselect's profile mechanism is a good starting point to adapt my workflow. Thanks! Leon