BSD Links · New Links · Advocacy · Drivers · Events · Flavours · FAQs · Guides · Programming · Security · Software · User Groups

This is the BSDA Study Guide Book written via a wiki collaboration. This is a work in progress. You may contribute to or discuss this specific page at http://bsdwiki.reedmedia.net/wiki/Change_the_encryption_algorithm_used_to_encrypt_the_password_database.html. Change the encryption algorithm used to encrypt the password database Concept Given a screenshot of a password database, an admin should be able to recognize the encryption algorithm in use and how to select another algorithm. Have a basic understanding of when to use DES, MD5 and Blowfish. Introduction TODO: test and document on other BSD systems -- as appropriate make this content not BSD specific On NetBSD, the passwd(1) command (covered in section TODO) can use an /etc/passwd.conf configuration to choose the password algorithm. The format is ..TODO... The default is "old" which is the common crypt(3) DES encryption scheme. TODO: passwd.c doesn't call pw_getconf() so I think it must use pam for this? The following are examples of different results based on the same password. old but common crypt(3) DES: 7rpABVh3LoKjE MD5: $1$FSh3ps5T$Etg/3eGiSBqdGahf29lIN1 NetBSD newsalt: _Gl/.Sw2RBVnj01TI6Tc SHA1: $sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH Blowfish: $2a$04$3/vwv4ibdVz2SUG3w.SRwOgI6kk7FUmmCVswZ/KUS9bngvgGEkqNq As you can see, the new algorithms use a format that can be recognized by routines (like TODO) so they know what to compare with. TODO: show this format (Note while high rounds may improve security, it can be expensive -- very slow to generate hash.) TODO: reword this or better explain Examples Practice Exercises More information login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)