code: Change default password hashing from md5 to SHA2
completed by: Nagato Yuki
mentors: Alex Hornung, Samuel J. Greear
DragonFly currently still uses md5 as the default password hash for /etc/master.passwd. As md5 is considered cryptographically broken, it's about time we move on. This task will involve adding support and changing the default to using SHA2 (SHA256 and/or SHA512). SHA384 is currently not supported by libmd and is hence not usabe for this.
The steps to follow are:
- add support for sha2 (256, 512?) to lib/libcrypt in two new files, crypt-sha256.c and crypt-sha512.c. This is relatively trivial and just needs to use the functions provided by libmd. It also involves adapting the Makefile to these changes.
- modify the #define PASSWORD_HASH in lib/pam_module/pam_unix/pam_unix.c to the new hash to be used
- modify the default passwd_format in etc/login.conf
- Test it! An untested submission will not be accepted.
It is imperative that this task is handed in as a proper unified patch, either the output of git format-patch (preferred) or a manual diff -Nau. A test to see if buildworld still runs after the changes should also be performed. If any help is required, feel free to drop me a mail or ask on our IRC channel, #dragonflybsd on efnet.