How to Specify an Algorithm for Password Encryption
You must assume the root
role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Example 3-4 Constraining Password Encryption Algorithms in a Heterogeneous Environment
In this example, the administrator on a network that includes BSD and Linux systems
configures passwords to be usable on all systems. Because some network applications cannot
handle SHA512
encryption, the administrator does not include its
identifier in the list of allowed algorithms. The administrator retains the
SHA256
algorithm, 5
, as the value for the
CRYPT_DEFAULT
variable. The CRYPT_ALGORITHMS_ALLOW
variable contains the MD5
identifier, which is compatible with BSD and
Linux systems, and the Blowfish identifier, which is compatible with BSD systems. Because
5
is the CRYPT_DEFAULT
algorithm, it does not need
to be listed in the CRYPT_ALGORITHMS_ALLOW
list. However, for
maintenance purposes, the administrator places 5
in the
CRYPT_ALGORITHMS_ALLOW
list and the unused identifiers in the
CRYPT_ALGORITHMS_DEPRECATE
list.
CRYPT_ALGORITHMS_ALLOW=1,2a,5
#CRYPT_ALGORITHMS_DEPRECATE=__unix__,md5,6
CRYPT_DEFAULT=5