mediumaccess-controlverified ✓rollback-safe
Configure sufficient SHA-512 hashing rounds in password-auth
pam-sha512-rounds-password-auth · RHEL ≥ 8 · 1 impl
Description
The pam_unix module in /etc/pam.d/password-auth must be configured to use a sufficient number of SHA-512 hashing rounds (at least 100000) to increase the computational cost of password cracking.
Rationale
Using a low number of hashing rounds makes it easier for attackers to crack password hashes offline. Configuring 100000 or more rounds significantly increases the time required for brute-force attacks.
Check → Remediate
Checkcommand
rounds=$(grep -Po '(?<=rounds=)[0-9]+' /etc/pam.d/password-auth 2>/dev/null | head -1)
[ -n "$rounds" ] && [ "$rounds" -ge {{ shadow_crypt_min_rounds }} ]
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- SHA_CRYPT_MIN_ROUNDS
- value:
- 5000
Framework references
STIG
V-281220 / RHEL-10-600720V-258099 / RHEL-09-611050
NIST 800-53
IA-5(1)(c)
Live verification
rhel9:check
#pam#password#sha512#hashing#password-auth