SHA hashes

The Secure Hash Algorithms (SHA) are a set of hash functions, frequently used for a large variety of purposes.

Some examples of usage of the SHA hash functions in Arch Linux are:

Verifying the integrity of the Arch Linux ISO and packages,
Pinning software revisions with git,
Securing and verifying cryptographic keys, for example disc encryption,
Data integrity and resource management of file systems, for example btrfs, and
Password verification, covered in Security#Password hashes and this article for SHA hashes.

SHA password hashes

By default Arch Linux used SHA-512 for passwords with package shadow releases from 4.1.4.3-3 (see bug 13591) to 4.14.0 (see yescrypt ). It replaced the older MD5 hash function, which has been found compromised by collision vulnerabilities. See wikipedia:Secure Hash Algorithms#Comparison of SHA functions for more information.

Configuration

The SHA-512 password hashing can be configured with the rounds=N option to improve key strengthening. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password they test against the hash in the /etc/shadow password file.

Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than one second.

Since pam release 1.6.0 the SHA-512 rounds option can be configured by either editing the /etc/login.defs file and setting an value for the SHA_CRYPT_MAX_ROUNDS parameter, or editing /etc/pam.d/passwd and adding the rounds with an appropriate value.[1]

If you do not use the rounds option, PAM will use a default different to the 5000 rounds example commented in /etc/login.defs.

For example:

/etc/pam.d/passwd

password	required	pam_unix.so sha512 shadow nullok rounds=65536

Warning: Explicitly configuring a hash like sha512 in above example overrides the default yescrypt hash for subsequent passwd invocations.

For a more detailed explanation of the /etc/pam.d/passwd password options check the pam_unix(8) man page.

Usage

Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.

As root issue the following command,

# passwd username

where username is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed.

To verify that your passwords have been re-hashed, check the /etc/shadow file as root. Passwords hashed with SHA-256 begin with a $5, passwords hashed with SHA-512 will begin with $6 and yescrypt hashes with $y.