Use PAM to increase SHA-512 password rounds

The pam_unix module is responsible for managing Linux’s shadow passwords. By default, it does a single, salted SHA-512 hash on the administrator password, when one is set. It is well known that passwords should never be stored using a single cryptographic hash because of its speed. The recommended solution is to use a KDF like bcrypt or PBKDF2. However, glibc’s crypt(3) does not support either of these. Linux PAM gets around this by using multiple rounds of a hash to strengthen the password, but it is not enabled by default. It can be done by modifying the /etc/pam.d/system-auth file. For example:

--- /etc/pam.d/system-auth
+++ /etc/pam.d/system-auth
@@ -7 +7 @@
-password   required    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password   required    pam_unix.so try_first_pass use_authtok nullok sha512 shadow rounds=1000000

Adding the rounds argument increases the number of hash iterations used by default when hashing a password. This results in the shadow file containing an extra field specifying the number of rounds. This is completely transparent to the user, and greatly increases the work factor required to crack the password. Tails should utilize this to further protect users against an adversary able to obtain this file, whether through physical access or through LPE.

The number of rounds determines how long it will take to generate the password hash. On a single Haswell i7 mobile core @ 2.80GHz, it takes slightly over half a second to perform one million SHA-512 rounds using PAM. Older processors may take longer. The number of rounds can be reduced if this proves to be an issue.

Original created by @cypherpunks on 15053 (Redmine)