mediumaccess-controlverified ✓rollback-safe
Encrypt stored passwords with a FIPS 140-3 hashing algorithm (Ubuntu)
password-hashing-fips-ubuntu · UBUNTU ≥ 22 · 1 impl
Description
/etc/login.defs ENCRYPT_METHOD must be set to SHA512 so that stored passwords use a FIPS 140-3 approved hashing algorithm.
Rationale
yescrypt (the Ubuntu default) is not FIPS 140-3 validated. SHA512 is the approved algorithm for storing password hashes in a FIPS posture.
Check → Remediate
Checkconfig_value
- path:
- /etc/login.defs
- key:
- ENCRYPT_METHOD
- expected:
- SHA512
- delimiter:
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- ENCRYPT_METHOD
- value:
- SHA512
- separator:
Framework references
STIG
V-270739 / UBTU-24-400400V-260572 / UBTU-22-611070
NIST 800-53
IA-5IA-5(1)(c)
Live verification
ubuntu22:checkubuntu24:check
#password#hashing#fips#login.defs