1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Controlling Access to Systems
  3. Changing the Default Algorithm for Password Encryption

Changing the Default Algorithm for Password Encryption

The default crypt_sha256 algorithm is represented by the value 5. To switch to another algorithm, assign a different identifier. For a list of password encryption algorithms and their corresponding identifiers, see Password Hashing Algorithms.

Note:

Use FIPS 140-2 approved algorithms when possible. For a list of FIPS 140-2 approved algorithms, see FIPS 140-2 Algorithm Lists and Certificate References for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.

Note that the new algorithm applies only to password encryption for new users. For existing users, the previous algorithm remains operative if it remains defined in the CRYPT_ALGORITHMS_ALLOW parameter and is not unix. To see how encryption is implemented in this case, see Password Hashes Configuration. To include existing users under the new password encryption algorithm, remove the previous algorithm from the CRYPT_ALGORITHMS_ALLOW parameter as well.

For more information about configuring the algorithm choices, see the policy.conf(5) man page.

Note:

The procedures and examples in this section do not work if you are using the account-policy service. If you have enabled this service, see Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4 for how to modify the security attributes that you used to modify by editing the policy.conf file.