[CentOS] password algorithm with authconfig vs authselect

Wed Apr 21 21:22:33 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

On 21.04.21 22:56, Chris Adams wrote:
> Once upon a time, Leon Fauster <leonfauster at googlemail.com> said:
>> How does the new "way" looks like (>=EL8), to switch the password
>> algorithm?
> It looks like authselect doesn't support that.
> While authconfig tried to be a super-multi-tool that knew how to
> configure all the things, I think it got to a point where it was too
> difficult to maintain (keeping track of which options were required,
> conflicted with each other, etc.).  So authselect instead ships a
> pre-set group of config files that have been tested, with some options
> in them.
> Right now, the password algorithm is always sha512.  I think that could
> be turned into what authselect calls a "feature", but I'm not sure
> (that'd be a good request for the project, using their project page at
> https://github.com/authselect/authselect).  It looks like features might
> support only enable/disable, not custom string values.
> The "officially correct" way to do that today seems to be to create a
> custom profile (which can be based on an existing profile), change the
> values, then apply the custom profile.  This seems like a lot to just
> set the algorithm, but I'm guessing that at this point, there aren't
> many requests to do that (so it isn't a well-supported thing to change).
> It looks like something like this might do it:
>    authselect create-profile sha256 --base-on=sssd
>    sed -i 's/sha512/sha256/g' /etc/authselect/custom/sha256/*
>    authselect select custom/sha256

Chris, this seems to be a very reasonable approach! Nevertheless I
noticed while testing that these config files also need to be managed

# grep 512 /etc/libuser.conf /etc/login.defs
/etc/libuser.conf:crypt_style = sha512
/etc/login.defs:ENCRYPT_METHOD SHA512

At least authselect's profile mechanism is a good starting point to
adapt my workflow.