Change the encryption algorithm used to encrypt the password database

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: Brett Mahar contact _OpenBSD


Concept

Given a screenshot of a password database, an admin should be able to recognize the encryption algorithm in use and how to select another algorithm. Have a basic understanding of when to use DES, MD5 and Blowfish.

Introduction

TODO: test and document on other BSD systems -- as appropriate make this content not BSD specific

On NetBSD, the passwd(1) command (covered in section TODO) can use an /etc/passwd.conf configuration to choose the password algorithm. The format is ..TODO... The default is "old" which is the common crypt(3) DES encryption scheme. TODO: passwd.c doesn't call pw_getconf() so I think it must use pam for this?

OpenBSD uses the localcipher entry in /etc/login.conf file to configure which algorithm to encrypt the passwords with. This can be old, newsalt,<rounds>, md5, or blowfish,<rounds>, where <rounds> is the base 2 logarithm number of rounds of encryption the password is subjected to while being encrypted. See the login.conf man page for the possible values.

FreeBSD and DragonflyBSD also uses the /etc/login.conf file, but uses the entry passwd_format. The values can be des, md5, or blf (for Blowfish).

The following are examples of different results based on the same password.

  • old but common crypt(3) DES: 7rpABVh3LoKjE
  • MD5: $1$FSh3ps5T$Etg/3eGiSBqdGahf29lIN1
  • NetBSD newsalt: _Gl/.Sw2RBVnj01TI6Tc
  • SHA1: $sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH
  • Blowfish: $2a$04$3/vwv4ibdVz2SUG3w.SRwOgI6kk7FUmmCVswZ/KUS9bngvgGEkqNq

As you can see, the new algorithms use a format that can be recognized by routines (like TODO) so they know what to compare with. TODO: show this format

(Note while high rounds may improve security, it can be expensive -- very slow to generate hash.) TODO: reword this or better explain

Examples

Practice Exercises

More information

login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)