As of today =sys-libs/glibc-2.8_p20080602-r1 is available for installation on 'stable' hardened systems. As =sys-libs/glibc-2.8_p20080602-r1 will be compiled against also stable =sys-kernel/linux-headers-2.6.27-r2, it is recommended one first upgrade to a >=sys-kernel/hardened-sources-2.6.27 kernel. Running a <=sys-kernel/*-2.6.27 kernel on a system with =sys-libs/glibc-2.8_p20080602-r1 compiled against =sys-kernel/linux-headers-2.6.27-r2 has not be tested by the Gentoo Hardened team and is not supported.
Now on to the fun... To attain sha512 shadow password hash capability one must: 1. Upgrade to >=sys-libs/glibc-2.8 2. Compile (+install) >=sys-libs/pam-1 against >=sys-libs/glibc-2.8 3. Compile (+install) >=sys-auth/pambase-20081028 with USE="sha512" (enabled by default) Any newly created or changed user passwords will now be stored via sha512 hash rather than md5. Be aware, sha512 password hashes are not backward compatible with older glibc/pam. Let's find all md5 password hashes: # fgrep '$1$' /etc/shadow Simply change the password for any listed account to have the password stored via sha512 hash. :) Many thanks go to Diego "Flameeyes" Pettenò for maintaining PAM and making sha512 shadow password hash capability a reality in Gentoo. That is all. Gordon Malm (gengor)
