1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Managing Computer System Security
  3. Controlling Access to a Computer System
  4. Controlling Logins
  5. Password Parameters
  6. Password Hashes Configuration

Password Hashes Configuration

Note:

If you are using the account-policy SMF stencil and the config/etc_default_passwd property is enabled, you change password configuration in SMF. For more information, see Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

The account-policy service has three parameters that affect password hashes: 

password/crypt/algorithms_allow astring 2a 5 6
password/crypt/algorithms_deprecate astring
password/crypt/default astring 5

When you change the value for password/crypt/default, the passwords of new users are encrypted with the algorithm that is associated with the new value.

When existing users change their passwords, the way their old password was encrypted affects which algorithm is used to encrypt the new password. For example, assume that the administrator has changed the password parameters to CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 and password/crypt/default=6. The following table shows which algorithm would be used to generate the encrypted password. The password consists of identifier=algorithm.

Initial Password Changed Password Explanation

1 = crypt_bsdmd5

Uses same algorithm

The 1 identifier is in the CRYPT_ALGORITHMS_ALLOW list. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm.

2a = crypt_bsdbf

Uses same algorithm

The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_bsbdf algorithm.

md5 = crypt_md5

Uses same algorithm

The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_md5 algorithm.

5 = crypt_sha256

Uses same algorithm

The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password continues to be encrypted with the crypt_sha256 algorithm.

6 = crypt_sha512

Uses same algorithm

The 6 identifier is s the value of CRYPT_DEFAULT. Therefore, the new password continues to be encrypted with the crypt_sha512 algorithm.

__unix__ = crypt_unix

Uses crypt_sha512 algorithm

The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm.

For more information about configuring the algorithm choices, see the account-policy(8S) man page. To specify password encryption algorithms, see Changing the Default Algorithm for Password Encryption.