Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Wednesday, February 10, 2021



crypt.conf - configuration file for pluggable crypt modules




crypt.conf is the configuration file for the pluggable crypt architecture. Each crypt module must provide a function to generate a password hash, crypt_genhash_impl(3C), and a function to generate the salt, crypt_gensalt_impl(3C).

Each line in crypt.conf defines a mapping between an algorithm identifier and the shared object implementing it, of the form:

	name    module_path	[params]

The name field specifies an identifier used to refer to this algorithm in the salt argument to crypt(3C) and in the password/crypt/algorithms_allow, password/crypt/algorithms_deprecate, and password/crypt/default properties of the account-policy(8S) service, which controls which methods are allowed to be used for setting or checking passwords.

The module_path field specifies the pathname to a shared library object that implements crypt_genhash_impl() and crypt_gensalt_impl(). If the pathname is not absolute, it is assumed to be relative to /usr/lib/security/$ISA. If the pathname contains the $ISA token, the token is replaced by an implementation-defined directory name that defines the path relative to the calling program's instruction set architecture.

The optional params field is used to pass module-specific options to the shared objects. See crypt_genhash_impl(3C) and crypt_gensalt(3C). It is the responsibility of the module to parse and interpret the options. The params field can be used by the modules to turn on debugging or to pass any module-specific parameters that control the output of the hashing algorithm


Example 1 Increasing the Work Factor

The following example increases the work factor to 12 for the crypt_bsdbf(7) module.

2a /usr/lib/security/$ISA/crypt_bsdbf.so 12

Example 2 Setting the Rounds

The following example sets the rounds for the crypt_sunmd5(7) module:

md5 /usr/lib/security/$ISA/crypt_sunmd5.so rounds=2000

Example 3 Using the Default /etc/security/crypt.conf

The following default /etc/security/crypt.conf supports five plugins:

1      crypt_bsdmd5.so.1
2a     crypt_bsdbf.so.1
md5    crypt_sunmd5.so.1
5      crypt_sha256.so.1       rounds=10000
6      crypt_sha512.so.1       rounds=10000


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

passwd(1), crypt(3C), crypt_genhash_impl(3C), crypt_gensalt(3C), crypt_gensalt_impl(3C), getpassphrase(3C), passwd(5), attributes(7), crypt_bsdbf(7), crypt_bsdmd5(7), crypt_sha256(7), crypt_sha512(7), crypt_sunmd5(7), crypt_unix(7), account-policy(8S)