Change the encryption algorithm used to encrypt the password database

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour

Concept

Given a screenshot of a password database, an admin should be able to recognize the encryption algorithm in use and how to select another algorithm. Have a basic understanding of when to use DES, MD5 and Blowfish.

Introduction

TODO: test and document on other BSD systems -- as appropriate make this content not BSD specific

On NetBSD, the passwd(1) command (covered in section TODO) can use an /etc/passwd.conf configuration to choose the password algorithm. The format is ..TODO... The default is "old" which is the common crypt(3) DES encryption scheme. TODO: passwd.c doesn't call pw_getconf() so I think it must use pam for this?

The following are examples of different results based on the same password.

• old but common crypt(3) DES: 7rpABVh3LoKjE
• MD5: $1$FSh3ps5T$Etg/3eGiSBqdGahf29lIN1
• NetBSD newsalt: _Gl/.Sw2RBVnj01TI6Tc
• SHA1: $sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH
• Blowfish: $2a$04$3/vwv4ibdVz2SUG3w.SRwOgI6kk7FUmmCVswZ/KUS9bngvgGEkqNq

As you can see, the new algorithms use a format that can be recognized by routines (like TODO) so they know what to compare with. TODO: show this format

(Note while high rounds may improve security, it can be expensive -- very slow to generate hash.) TODO: reword this or better explain

Examples

Practice Exercises

More information

login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)