Strong password encryption provides an early barrier against attack. The Solaris 9 12/02 release provides four password encryption modules. The MD5 modules and the Blowfish module provide more robust password encryption than the UNIX algorithm.
You specify the algorithms configuration for your site in the /etc/security/policy.conf file. In the policy.conf file, the algorithms are named by their identifier, as shown in the following table.
Table 15–1 Password Encryption Algorithms
Identifier |
Description |
Algorithm Man Page |
---|---|---|
1 |
The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems. | |
2a |
The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems. | |
md5 |
The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5. | |
__unix__ |
The traditional UNIX encryption algorithm. This algorithm is the default module in the policy.conf file. |
The following shows the default policy.conf file:
# # Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # /etc/security/policy.conf # # security policy configuration for user attributes. see policy.conf(4) # #ident "@(#)policy.conf 1.6 02/06/07 SMI" # AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User # crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords. This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5 # To deprecate use of the traditional unix algorithm, uncomment below # and change CRYPT_DEFAULT= to another algorithm. For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # #CRYPT_ALGORITHMS_DEPRECATE=__unix__ # The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # CRYPT_DEFAULT=__unix__ |
When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with the algorithm that is associated with the new value. When current users change their passwords, how their old password was encrypted affects which algorithm is used to encrypt the new password.
For example, assume that CRYPT_ALGORITHMS_ALLOW=1,2a,md5 and CRYPT_DEFAULT=1. The following table shows which algorithm would be used to generate the encrypted password.
Initial Password Algorithm |
Changed Password Algorithm |
Explanation |
---|---|---|
crypt_bsdmd5 |
crypt_bsdmd5 |
The identifier of crypt_bsdmd5 is 1, the value of CRYPT_DEFAULT. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm. |
crypt_bsdbf |
crypt_bsdbf |
The identifier of crypt_bsdbf is 2a. Because 2a is in the CRYPT_ALGORITHMS_ALLOW list, the new password is encrypted with the crypt_bsbdf algorithm. |
crypt_md5 |
crypt_md5 |
The identifier of crypt_md5 is md5. Because md5 is in the CRYPT_ALGORITHMS_ALLOW list, the new password is encrypted with the crypt_md5 algorithm. |
crypt_unix |
crypt_bsdmd5 |
The identifier of crypt_unix is __unix__. The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm. |
For more information on the syntax for configuring the algorithm choices, see the policy.conf(4) man page. For information on how to use the new password encryption algorithms, see Changing the Default Algorithm for Password Encryption.