1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Managing Computer System Security
  3. Controlling Access to a Computer System
  4. Controlling Logins
  5. Password Parameters
  6. Password Algorithm Identifiers

Password Algorithm Identifiers

You can specify the algorithms configuration for your site by enabling the config/etc_default_passwd property in the account-policy SMF stencil. For more information, review Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

You indicate the algorithms by their identifier, as shown in the following table. For the identifier-algorithm mapping, see the /etc/security/crypt.conf file.

Note:

Use FIPS 140-2 approved algorithms when possible. For a list of FIPS 140-2 approved algorithms, see FIPS 140-2 Algorithm Lists and Certificate References for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.

Table 1-1 Password Hashing Algorithms

Identifier Description Algorithm Man Page

1

The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.

crypt_bsdmd5(7)

2a

The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.

To promote FIPS 140-2 security, remove the Blowfish algorithm (2a) from password/crypt/algorithms_allow.

crypt_bsdbf(7)

md5

The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.

crypt_sunmd5(7)

5

The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords. This algorithm is the default, (CRYPT_DEFAULT).

crypt_sha256(7)

6

The SHA512 algorithm.

crypt_sha512(7)

__unix__

Deprecated. The traditional UNIX encryption algorithm. This algorithm can be of use when connecting to old systems.

crypt_unix(7)

Note:

The algorithm that is used for a user's initial password continues to be used for new password generation for that user even though a different default algorithm might have been selected prior to generating a new password for that user. This mechanism applies under the following conditions:

  • The algorithm is included in the list of allowed algorithms to be used for password encryption.

  • The identifier is not _unix_.

For procedures describing how to switch algorithms for password encryption, see Changing the Default Algorithm for Password Encryption.