How to Specify an Algorithm for Password Encryption
In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of machines that run the Solaris, BSD, and Linux versions of UNIX. See Table 2–1 for a list of password encryption algorithms and algorithm identifiers.
-
Become superuser or assume an equivalent role.
-
Specify the identifier for the encryption algorithm as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.
You might want to comment the file to explain your choice.
# vi /etc/security/policy.conf … CRYPT_ALGORITHMS_ALLOW=1,2a,md5 # # Use the version of MD5 that works with Linux and BSD systems. # Passwords previously encrypted with __unix__ will be encrypted with MD5 # when users change their passwords. # #CRYPT_DEFAULT=__unix__ CRYPT_DEFAULT=1
In this example, the algorithms configuration ensures that the weakest algorithm, crypt_unix, is never used to encrypt a password. Users whose passwords were encrypted with the crypt_unix module get a crypt_bsdmd5–encrypted password when they change their passwords.
For more information on the syntax for configuring the algorithm choices, see the policy.conf(4) man page.
Example—Using the Blowfish Algorithm for Password Encryption
In this example, the identifier for the Blowfish algorithm, 2a, is specified as the value for the CRYPT_DEFAULT variable. The policy.conf entries that control password encryption would look like the following:
CRYPT_ALGORITHMS_ALLOW=1,2a,md5 #CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=2a |
This configuration is compatible with BSD systems that use the Blowfish algorithm.
- © 2010, Oracle Corporation and/or its affiliates