System Administration Guide: Security Services

ProcedureHow to Specify an Algorithm for Password Encryption

In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of machines that run the Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2–1.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Specify the identifier for your chosen encryption algorithm.

    Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.

    You might want to comment the file to explain your choice.

    # cat  /etc/security/policy.conf
    # Use the version of MD5 that works with Linux and BSD systems.
    # Passwords previously encrypted with __unix__ will be encrypted with MD5
    # when users change their passwords.

    In this example, the algorithms configuration ensures that the weakest algorithm, crypt_unix, is never used to encrypt a password. Users whose passwords were encrypted with the crypt_unix module get a crypt_bsdmd5-encrypted password when they change their passwords.

    For more information on configuring the algorithm choices, see the policy.conf(4) man page.

Example 3–6 Using the Blowfish Algorithm for Password Encryption

In this example, the identifier for the Blowfish algorithm, 2a, is specified as the value for the CRYPT_DEFAULT variable in the policy.conf file:


This configuration is compatible with BSD systems that use the Blowfish algorithm.