mediumaccess-controlunverified
Ensure stored passwords use the SHA-512 hashing algorithm
shadow-password-sha512 · RHEL ≥ 8 · 1 impl
Description
Every interactive account with a password in /etc/shadow must store it as a SHA-512 hash (a field beginning with $6$). Accounts that are locked or have no password ($!, $*, or empty) are not evaluated.
Rationale
Weaker hash algorithms (MD5, SHA-256, or DES) are more susceptible to offline cracking. SHA-512 is the FIPS-approved algorithm required for stored authenticators on RHEL 8.
Check → Remediate
Checkcommand
fail=0
while IFS=: read -r user hash _; do
case "$hash" in
''|'!'*|'*'*) continue ;; # no password / locked — not evaluated
'$6$'*) continue ;; # SHA-512 — compliant
*) echo "FAIL: $user has a non-SHA-512 password hash"; fail=1 ;;
esac
done < /etc/shadow
if [ "$fail" -eq 0 ]; then
echo "OK: all stored passwords use SHA-512"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Force affected accounts to reset their password so it is re-hashed with SHA-512 (ensure ENCRYPT_METHOD SHA512 is set in /etc/login.defs first): passwd --expire <user> or lock accounts that should not have a password: passwd -l <user>
Framework references
STIG
V-281221 / RHEL-10-600730V-230232 / RHEL-08-010120
NIST 800-53
IA-5
#passwords#hashing#sha512#fips#shadow#stig