Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

How to Specify an Algorithm for Password Encryption

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. In the /etc/security/policy.conf file, specify the identifier for your chosen encryption algorithm as the value for the CRYPT_DEFAULT variable.
  2. (Optional) Comment the file to explain your choice.

    For example:

    # cat  /etc/security/policy.conf# Sets the SHA256 (5) algorithm as default.
    # SHA256 supports 255-character passwords.
    # Passwords previously encrypted with MD5 (1) will be encrypted
    # with SHA256 (5) when users change their passwords.
    #CRYPT_DEFAULT=1
    CRYPT_DEFAULT=5

    In this example, the new value of CRYPT_DEFAULT is 5, which is SHA256, the SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords.

  3. (Optional) Remove the previous algorithm from the CRYPT_ALGORITHM_ALLOWED to make the new algorithm apply to existing users.

    For example, to ensure that the SHA256 algorithm also applies to existing users, the CRYPT_ALGORITHM_ALLOWED should exclude the prior identifier for MD5, 1.


    Note -  In addition, to promote FIPS 140-2 security, exclude the Blowfish algorithm (2a) from the entry.
    CRYPT_ALGORITHMS_ALLOW=5,6
Example 9  Constraining Password Encryption Algorithms in a Heterogeneous Environment

In this example, the administrator on a network that includes BSD and Linux systems configures passwords to be usable on all systems. Because some network applications cannot handle SHA512 encryption, the administrator does not include its identifier in the list of allowed algorithms. The administrator retains the SHA256 algorithm, 5, as the value for the CRYPT_DEFAULT variable. The CRYPT_ALGORITHMS_ALLOW variable contains the MD5 identifier, which is compatible with BSD and Linux systems, and the Blowfish identifier, which is compatible with BSD systems. Because 5 is the CRYPT_DEFAULT algorithm, it does not need to be listed in the CRYPT_ALGORITHMS_ALLOW list. However, for maintenance purposes, the administrator places 5 in the CRYPT_ALGORITHMS_ALLOW list and the unused identifiers in the CRYPT_ALGORITHMS_DEPRECATE list.

CRYPT_ALGORITHMS_ALLOW=1,2a,5
#CRYPT_ALGORITHMS_DEPRECATE=__unix__,md5,6
CRYPT_DEFAULT=5