Password Algorithm Identifiers
You can specify the algorithms configuration for your site by enabling the config/etc_default_passwd
property in the account-policy
SMF stencil. For more information, review Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the
account-policy
(8S) man page.
You indicate the algorithms by their identifier, as shown in the following table. For the identifier-algorithm mapping, see the /etc/security/crypt.conf
file.
Note:
Use FIPS 140-2 approved algorithms when possible. For a list of FIPS 140-2 approved algorithms, see FIPS 140-2 Algorithm Lists and Certificate References for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.
Table 1-1 Password Hashing Algorithms
Identifier | Description | Algorithm Man Page |
---|---|---|
|
The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems. |
|
|
The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems. To promote FIPS 140-2 security, remove the Blowfish algorithm (2a) from
|
|
|
The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5. |
|
|
The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords. This algorithm is the default, |
|
|
The SHA512 algorithm. |
|
|
Deprecated. The traditional UNIX encryption algorithm. This algorithm can be of use when connecting to old systems. |
Note:
The algorithm that is used for a user's initial password continues to be used for new password generation for that user even though a different default algorithm might have been selected prior to generating a new password for that user. This mechanism applies under the following conditions:
-
The algorithm is included in the list of allowed algorithms to be used for password encryption.
-
The identifier is not
_unix_
.
For procedures describing how to switch algorithms for password encryption, see Changing the Default Algorithm for Password Encryption.