System Administration Guide: Security Services

ProcedureHow to Install a Password Encryption Module From a Third Party

A third-party password encryption algorithm is typically delivered as a module in a software package. When you run the pkgadd command, scripts from the vendor should modify the /etc/security/crypt.conf file. You then modify the /etc/security/policy.conf file to include the new module and its identifier.

  1. Add the software by using the pkgadd command.

    For detailed instructions on how to add software, see Adding or Removing a Software Package (pkgadd) in System Administration Guide: Basic Administration.

  2. Confirm that the new module and module identifier have been added.

    Read the list of encryption algorithms in the /etc/security/crypt.conf file.

    For example, the following lines show that a module that implements the crypt_rot13 algorithm has been installed.


    # crypt.conf
    #
    md5 /usr/lib/security/$ISA/crypt_md5.so
    rot13 /usr/lib/security/$ISA/crypt_rot13.so
    
    # For *BSD - Linux compatibility
    # 1 is MD5,  2a is Blowfish
    1 /usr/lib/security/$ISA/crypt_bsdmd5.so
    2a /usr/lib/security/$ISA/crypt_bsdbf.so
  3. Add the identifier of the newly installed algorithm to the /etc/security/policy.conf file.

    The following lines show excerpts from the policy.conf file that would need to be modified to add the rot13 identifier.


    # Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved.
    # ...
    #ident  "@(#)policy.conf        1.12     08/05/14 SMI"
    # ...
    # crypt(3c) Algorithms Configuration
    CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6,,rot13
    #CRYPT_ALGORITHMS_DEPRECATE=__unix__
    CRYPT_DEFAULT=md5

    In this example, the rot13 algorithm is used if the current password was encrypted with the crypt_rot13 algorithm. New user passwords are encrypted with the crypt_sunmd5 algorithm. This algorithm configuration works on Solaris-only networks.