os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update details of how to specify or determine which password format is

Browse source 
in use

PR:		docs/31899
Submitted by:	Martin Heinen <martin@sumuk.de>
This commit is contained in:
Tom Hukins 2001-11-16 12:07:18 +00:00
parent 06f5972272
commit a2a2949916
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=11228
1 changed files with 17 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

49
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -978,50 +978,35 @@
<sect2>
<title>Recognizing Your Crypt Mechanism</title>
<para>Before FreeBSD 4.4 <filename>libcrypt.a</filename> was a
symbolic link pointing to the library which was used for
encryption. FreeBSD 4.4 changed <filename>libcrypt.a</filename> to
provide a configurable password authentication hash library.
Currently the library supports DES, MD5 and Blowfish hash
functions. By default FreeBSD uses MD5 to encrypt
passwords.</para>
<para>It is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the <filename>/etc/master.passwd</filename> file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
<literal>&dollar;1&dollar;</literal>. DES password strings do not
<literal>&dollar;1&dollar;</literal>. Passwords starting with
<literal>&dollar;2&dollar;</literal> are encrypted with the
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the <literal>&dollar;</literal>
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.</para>
<para>The libraries can identify the passwords this way as well.
As a result, the DES libraries are able to identify MD5
passwords, and use MD5 to check passwords that were encrypted
that way, and DES for the rest. They are able to do this
because the DES libraries also contain MD5. Unfortunately, the
reverse is not true, so the MD5 libraries cannot authenticate
passwords that were encrypted with DES.</para>
<para>Identifying which library is being used by the programs on
your system is easy as well. Any program that uses crypt is linked
against libcrypt, which for each type of library is a symbolic link
to the appropriate implementation. For example, on a system using
the DES versions:</para>
<para>The password format used for new passwords is controlled
by the <quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of
<quote>des</quote> or <quote>md5</quote> or
<quote>blf</quote>. See the &man.login.conf.5; manual page
for more information about login capabilities.</para>
<screen>&prompt.user; <userinput>ls -l /usr/lib/libcrypt*</userinput>
lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -&gt; libdescrypt.a
lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -&gt; libdescrypt.so.2.0
lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -&gt; libdescrypt_p.a</screen>
<para>On a system using the MD5-based libraries, the same links will
be present, but the target will be <filename>libscrypt</filename>
rather than <filename>libdescrypt</filename>.</para>
<para>If you have installed the DES-capable crypt library
<filename>libdescrypt</filename> (e.g. by installing the
"crypto" distribution), then which password format will be used
for new passwords is controlled by the
<quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of
either <quote>des</quote> or <quote>md5</quote>. See the
&man.login.conf.5; manual page for more information about login
capabilities.</para>
</sect2>
</sect1>