Quoting Rob James on the referenced bug report: With the "remember=x" option to pam_unix for recording password history to /etc/security/opasswd the old password hashes stored in opasswd are always MD5 crypted even if pam_unix is configured for sha256 or sha512. /etc/security/opasswd should be treated in the same way as /etc/shadow for security reasons. There should at least be some way to use sha256/sha512 for opasswd. Version-Release number of selected component (if applicable): pam 0.99.6.2 How reproducible: Every time Steps to Reproduce: 1. Use authconfig to enable SHA-512 passwords (--passalgo=sha512) 2. In system-auth add "remember=3" to the pam_unix.so password entry 3. Add a local user 4. Login as that user and change the password to something else Actual results: The old password is stored in MD5 format Expected results: The old password is stored in SHA-512 format
According to Flameeyes, this is not enabled by default. However, it might still increase the risk of information disclosure for people using the feature.
No new release from upstream yet, and I'd rather not patch so I'd just keep waiting to see if they release a 1.0.4.
I see nothing new from the upstream bug, do we till count this as a security bug?
do you have a reference to the upstream bug?
This is a hardening issue, not a security issue.