System Administration Guide: Security Services

Password Encryption

Strong password encryption provides an early barrier against attack. Solaris software provides four password encryption algorithms. The two MD5 algorithms and the Blowfish algorithm provide more robust password encryption than the UNIX algorithm.

Password Algorithm Identifiers

You specify the algorithms configuration for your site in the /etc/security/policy.conf file. In the policy.conf file, the algorithms are named by their identifier, as shown in the following table.

Table 2–1 Password Encryption Algorithms

Identifier 

Description 

Algorithm Man Page 

1

The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.

crypt_bsdmd5(5)

2a

The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.

crypt_bsdbf(5)

md5

The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.

crypt_sunmd5(5)

5

The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords.

crypt_sha256(5)

6

The SHA512 algorithm.

crypt_sha512(5)

__unix__

The traditional UNIX encryption algorithm. This algorithm is the default module in the policy.conf file.

crypt_unix(5)

Algorithms Configuration in the policy.conf File

The following shows the default algorithms configuration in the policy.conf file:


#
…
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
…

When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with the algorithm that is associated with the new value. When current users change their passwords, how their old password was encrypted affects which algorithm is used to encrypt the new password.

For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 and CRYPT_DEFAULT=1. The following table shows which algorithm would be used to generate the encrypted password.

Identifier = Password Algorithm 

Explanation 

Initial Password 

Changed Password 

1 = crypt_bsdmd5

Uses same algorithm 

The 1 identifier is also the value of CRYPT_DEFAULT. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm.

2a = crypt_bsdbf

Uses same algorithm 

The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_bsbdf algorithm.

md5 = crypt_md5

Uses same algorithm 

The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_md5 algorithm.

5 = crypt_sha256

Uses same algorithm 

The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha256 algorithm.

6 = crypt_sha512

Uses same algorithm 

The 6 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_sha512 algorithm.

__unix__ = crypt_unix

Uses crypt_bsdmd5 algorithm

The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm.

For more information on configuring the algorithm choices, see the policy.conf(4) man page. To specify password encryption algorithms, see Changing the Password Algorithm (Task Map).