Change the encryption algorithm used to encrypt the password database
Author: name contact BSD flavour
Reviewer: name contact BSD flavour
Reviewer: Brett Mahar contact _OpenBSD
Concept
Given a screenshot of a password database, an admin should be able to recognize the encryption algorithm in use and how to select another algorithm. Have a basic understanding of when to use DES, MD5 and Blowfish.
Introduction
TODO: test and document on other BSD systems -- as appropriate make this content not BSD specific
On NetBSD, the passwd(1)
command (covered in section TODO) can use an /etc/passwd.conf configuration to choose
the password algorithm. The format is ..TODO... The default is "old" which is the common crypt(3) DES encryption scheme.
TODO: passwd.c doesn't call pw_getconf() so I think it must use pam for this?
OpenBSD uses the localcipher
entry in /etc/login.conf
file to configure which algorithm to encrypt the passwords with. This can be old
, newsalt,<rounds>
, md5
, or blowfish,<rounds>
, where <rounds>
is the base 2 logarithm number of rounds of encryption the password is subjected to while being encrypted. See the login.conf
man page for the possible values.
FreeBSD and DragonflyBSD also uses the /etc/login.conf
file, but uses the entry passwd_format
. The values can be des
, md5
, or blf
(for Blowfish).
The following are examples of different results based on the same password.
- old but common crypt(3) DES: 7rpABVh3LoKjE
- MD5: $1$FSh3ps5T$Etg/3eGiSBqdGahf29lIN1
- NetBSD newsalt: _Gl/.Sw2RBVnj01TI6Tc
- SHA1: $sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH
- Blowfish: $2a$04$3/vwv4ibdVz2SUG3w.SRwOgI6kk7FUmmCVswZ/KUS9bngvgGEkqNq
As you can see, the new algorithms use a format that can be recognized by routines (like TODO) so they know what to compare with. TODO: show this format
(Note while high rounds may improve security, it can be expensive -- very slow to generate hash.) TODO: reword this or better explain
Examples
Practice Exercises
More information
login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)