System Administration Guide: Security Services
Previous Next

Changing the Default Algorithm for Password Encryption

By default, user passwords are encrypted with the crypt_unix algorithm. You can use a stronger encryption algorithm, such as MD5 or Blowfish, by changing the default password encryption algorithm.

How to Specify an Algorithm for Password Encryption

In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of machines that run the Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2-1.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Specify the identifier for your chosen encryption algorithm.

    Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.

    You might want to comment the file to explain your choice.

    # cat /etc/security/policy.conf
    …
    CRYPT_ALGORITHMS_ALLOW=1,2a,md5
    #
    # Use the version of MD5 that works with Linux and BSD systems.
    # Passwords previously encrypted with __unix__ will be encrypted with MD5
    # when users change their passwords.
    #
    #
    CRYPT_DEFAULT=__unix__
    CRYPT_DEFAULT=1

    In this example, the algorithms configuration ensures that the weakest algorithm, crypt_unix, is never used to encrypt a password. Users whose passwords were encrypted with the crypt_unix module get a crypt_bsdmd5-encrypted password when they change their passwords.

    For more information on configuring the algorithm choices, see the policy.conf(4) man page.

Example 3-6 Using the Blowfish Algorithm for Password Encryption

In this example, the identifier for the Blowfish algorithm, 2a, is specified as the value for the CRYPT_DEFAULT variable in the policy.conf file:

CRYPT_ALGORITHMS_ALLOW=1,2a,md5
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=2a

This configuration is compatible with BSD systems that use the Blowfish algorithm.

How to Specify a New Password Algorithm for an NIS Domain

When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client machine encrypts the password.

  1. Specify the password encryption algorithm in the /etc/security/policy.conf file on the NIS client.
  2. Copy the modified /etc/security/policy.conf file to every client machine in the NIS domain.
  3. To minimize confusion, copy the modified /etc/security/policy.conf file to the NIS root server and to the slave servers.

How to Specify a New Password Algorithm for an NIS+ Domain

When users in an NIS+ domain change their passwords, the NIS+ name service consults the algorithms configuration in the /etc/security/policy.conf file on the NIS+ master. The NIS+ master, which is running the rpc.nispasswd daemon, creates the encrypted password.

  1. Specify the password encryption algorithm in the /etc/security/policy.conf file on the NIS+ master.
  2. To minimize confusion, copy the NIS+ master's /etc/security/policy.conf file to every host in the NIS+ domain.

How to Specify a New Password Algorithm for an LDAP Domain

When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.

  1. Specify a password encryption algorithm in the /etc/security/policy.conf file on the LDAP client.
  2. Copy the modified policy.conf file to every client machine in the LDAP domain.
  3. Ensure that the client's /etc/pam.conf file does not use a pam_ldap module.

    Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the new server_policy option with the pam_authtok_store.so.1 module.

    The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.

    When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client machine encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.


    Note - To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the server by using the Sun JavaTM System Directory Server's cryptographic mechanism. For the procedure, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).


How to Install a Password Encryption Module From a Third Party

A third-party password encryption algorithm is typically delivered as a module in a software package. When you run the pkgadd command, scripts from the vendor should modify the /etc/security/crypt.conf file. You then modify the /etc/security/policy.conf file to include the new module and its identifier.

  1. Add the software by using the pkgadd command.

    For detailed instructions on how to add software, see Adding or Removing a Software Package (pkgadd) in System Administration Guide: Basic Administration.

  2. Confirm that the new module and module identifier have been added.

    Read the list of encryption algorithms in the /etc/security/crypt.conf file.

    For example, the following lines show that a module that implements the crypt_rot13 algorithm has been installed.

    # crypt.conf
    #
    md5 /usr/lib/security/$ISA/crypt_md5.so
    rot13 /usr/lib/security/$ISA/crypt_rot13.so
    
    # For *BSD - Linux compatibility
    # 1 is MD5,  2a is Blowfish
    1 /usr/lib/security/$ISA/crypt_bsdmd5.so
    2a /usr/lib/security/$ISA/crypt_bsdbf.so
  3. Add the identifier of the newly installed algorithm to the /etc/security/policy.conf file.

    The following lines show excerpts from the policy.conf file that would need to be modified to add the rot13 identifier.

    # Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved.
    # ...
    #ident  "@(#)policy.conf        1.6     02/06/07 SMI"
    # ...
    # crypt(3c) Algorithms Configuration
    CRYPT_ALGORITHMS_ALLOW=1,2a,md5,rot13
    #CRYPT_ALGORITHMS_DEPRECATE=__unix__
    CRYPT_DEFAULT=md5

    In this example, the rot13 algorithm is used if the current password was encrypted with the crypt_rot13 algorithm. New user passwords are encrypted with the crypt_sunmd5 algorithm. This algorithms configuration works on Solaris-only networks.

Previous Next