Password Encryption (System Administration Guide: Security Services)

System Administration Guide: Security Services

Password Encryption

Strong password encryption provides an early barrier against attack. The Solaris 9 12/02 release provides four password encryption modules. The MD5 modules and the Blowfish module provide more robust password encryption than the UNIX algorithm.

You specify the algorithms configuration for your site in the /etc/security/policy.conf file. In the policy.conf file, the algorithms are named by their identifier, as shown in the following table.

Table 15–1 Password Encryption Algorithms


Identifier	Description	Algorithm Man Page
`1`	The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.	crypt_bsdmd5(5)
`2a`	The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.	crypt_bsdbf(5)
`md5`	The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.	crypt_sunmd5(5)
`__unix__`	The traditional UNIX encryption algorithm. This algorithm is the default module in the `policy.conf` file.	crypt_unix(5)

Algorithms Configuration in the `policy.conf` File

The following shows the default policy.conf file:

#
# Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident  "@(#)policy.conf        1.6     02/06/07 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__

When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with the algorithm that is associated with the new value. When current users change their passwords, how their old password was encrypted affects which algorithm is used to encrypt the new password.

For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5 and CRYPT_DEFAULT=1. The following table shows which algorithm would be used to generate the encrypted password.

Initial Password Algorithm	Changed Password Algorithm	Explanation
`crypt_bsdmd5`	`crypt_bsdmd5`	The identifier of `crypt_bsdmd5` is `1`, the value of `CRYPT_DEFAULT`. The user's password continues to be encrypted with the `crypt_bsdmd5` algorithm.
`crypt_bsdbf`	`crypt_bsdbf`	The identifier of `crypt_bsdbf` is `2a`. Because `2a` is in the `CRYPT_ALGORITHMS_ALLOW` list, the new password is encrypted with the `crypt_bsbdf` algorithm.
`crypt_md5`	`crypt_md5`	The identifier of `crypt_md5` is `md5`. Because `md5` is in the `CRYPT_ALGORITHMS_ALLOW` list, the new password is encrypted with the `crypt_md5` algorithm.
`crypt_unix`	`crypt_bsdmd5`	The identifier of `crypt_unix` is `__unix__`. The `__unix__` identifier is not in the `CRYPT_ALGORITHMS_ALLOW` list. Therefore, the `crypt_unix` algorithm cannot be used. The new password is encrypted with the `CRYPT_DEFAULT` algorithm.

For more information on the syntax for configuring the algorithm choices, see the policy.conf(4) man page. For information on how to use the new password encryption algorithms, see Changing the Default Algorithm for Password Encryption.

Password Encryption

Algorithms Configuration in the policy.conf File

Algorithms Configuration in the `policy.conf` File