Artwork, Interior and Dress Design
- Artist - Spomenka Pejasinovic-Baljevic, Bachelor of Arts
IT Systems Programming and Consulting
IT Systems Training
- Selected IT Systems Presentations and Webinars
- Presentations at Slideshare: World's Largest Community for Sharing Presentations Online
- 8 years experience in teaching over 50 IT subjects
  - Information Security
    - Information Security Essential Plus
    - Information Security Risk Management and Business Continuity
    - HP Enterprise Security Governance and Policies
    - CSA Certificate of Cloud Security Knowledge Foundation
  - Matrix OE and Converged Infrastructure
    - HP Matrix Operating Environment: Infrastructure Orchestration Integration
    - HP CloudSystems Matrix Administration
    - HP Matrix Operating Environment Foundations
    - HP Converged Infrastructure
    - Administering HP Converged Infrastructure Solutions
    - HP Insight Control Server Provisioning
  - Unix
    - Unix Fundamentals (Subject Matter Expert)
    - HP-UX System and Network Administration I (Subject Matter Expert)
    - HP-UX System and Network Administration II (Subject Matter Expert
    - HP-UX Security (Subject Matter Expert)
    - HP-UX Performance and Tuning (Subject Matter Expert)
    - HP-UX System and Network Troubleshooting (Subject Matter Expert)
    - HP-UX Logical Volume Manager
    - HP-UX managing Software with Ignite-UX
    - HP-UX Resource Management: PRM and WLM
    - HP-UX System Administration for Solaris and AIX Administrators
    - HP-UX System Administration for Linux Administrators
    - HP Integrity VM and HP-UX vPars Administration (Subject Matter Expert)
    - Solaris System Administration
    - Tru64 System Administration
  - Linux
    - Red Hat Linux System Administration I
    - Red Hat Linux System Administration II
    - Red Hat Linux Programming
    - Red Hat Linux Programming
    - Red Hat Linux Security
    - Red Hat Linux Troubleshooting
    - Suse Linux System Administration I
    - Suse Linux System Administration II
    - Ubuntu Linux System Administration
  - Clustering
    - HP Serviceguard I
    - HP Serviceguard II Continentalclusters, CFS and Oracle RAC
    - HP Metrocluster
    - Sun Cluster
    - Red Hat Cluster
    - Veritas Cluster
  - Programming
    - Posix Shell Programming
    - Perl Programming
  - Storage, Backups, Hardware and Misc Subjects
    - HP Accelerated SAN Essentials
    - Managing HP 3PAR StoreServ I
    - Managing HP 3PAR StoreServ II
    - Managing HP StoreEasy Configuration, Administration, and Troubleshooting
    - Managing HP StoreOnce Backup Solutions
    - Managing HP Enterprise Virtual Array
    - HP Enterprise Virtual Array Performance Analysis
    - HP Enterprise Virtual Array Business Continuity and Availability
    - Business Continuity and Availability
    - Managing HP StoreVirtual 2000 Storage Administration and Configuration
    - Managing HP StoreVirtual 4000 Storage Administration and Configuration
    - HP StorageWorks X9000 File Serving Software System Administration
    - HP X1000/X3000 Administration
    - HP StorageWorks Virtual Library Systems (VLS) Configuration Management
    - Managing HP Storage D2D Solutions
    - Data Protector
    - Veritas NetBackup
  - Hardware and Misc Subjects
    - HP Superdome 2 Administration (Subject Matter Expert)
    - HP Integrity Cell-based Server Administration (Subject Matter Expert)
    - HP Integrity Blade Server Administration
    - HP BladeSystem Virtual Connect
    - HP BladeSystem Fast Track
    - Veritas Volume Manager
    - HP Capacity Advisor and Global Workload Manager

Interesting Small Projects

Our Mission Statement
Our IT Systems Services
Testimonials
Contact Us (spam filtering enabled)
- Enquiries
- Abuse
- Webadmin
Home Page

Brief summary of standard password hashes on Unix and Linux systems 2014

The following information is based on current versions of operating systems:

RHEL and CentOS 6.5
OpenSUSE 13.1
Ubuntu 14.04
Oracle Linux 6.5
FreeBSD 10
HP-UX 11i v3
Solaris 11

More detaild summary has been publised at Slideshare:

Brief-summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-2014-by-Dusan-Baljevic

Contrary to popular belief, the account password entries in /etc/shadow can have more than three "$"-separators (hint: when one uses SHA-256|512 hashing and non-default number of rounds).

On standard servers, three "$"-separated values are part of the password string in /etc/shadow:

someuser:$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.:
0:99999:7:::

Inside hashed password string

What is inside the password string $5$String1$String2:

$5      SHA-256 hashing
String1 "Y4HhzEPz" salt
String2 "mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon." hashed password

The extra "$"-separted field can exist when non-default number of rounds is implemented. Then we have, for example, $6$Rounds$String1$String2:

$6$rounds=85000
$pA/kjrZS$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.

$6      SHA-512 hashing 
Rounds  85000 times
String1 "pA/kjrZS"
String2 "wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi."

Examples of valid password hashes on Linux servers

SHA-256 hashing:
$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.

SHA-512 hashing account with non-default rounds:
$6$rounds=85000$pA/kjrZS
$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.

SHA-512 hashing account:
$6$zgpfWfGc
$ACfCZLTLeJzLhiC1gyO0Bj5JlD337zAW.L25FpYz07QalwRQJYAJ
8AIFL69PxK2XwoDehTLzPT64AsrMUsL1o0

MD5 hashing account:
$1$6tAaCsfx$E2amS8ko4ks1lxz7izSL//

Blowfish hashing account:
$2y$05$Z4taSkam70Vc9mMqtrAby25ixpstvJUf49gqzPtjhkscGgu4Zvd6c

Linux standard hashes

In current Linux distributions, the following prefixes for hashes are standard:

"1"         hashing-algorithm=BSD-MD5
"2a"        hashing-algorithm=BSD-Blowfish
"2y"        hashing-algorithm=BSD-Blowfish (SUSE)
"5"         hashing-algorithm=SHA-256
"6"         hashing-algorithm=SHA-512
""          hashing-algorithm=DES
"_"         hashing-algorithm=Extended-BSDI-DES (SUSE)

FreeBSD 10 standard hashes

The following prefixes for hashes are standard:

"1"   hashing-algorithm=MD5
"2"   hashing-algorithm=Blowfish
"3"   hashing-algorithm=NT-Hash
"4"   (unused) 
"5"   hashing-algorithm=SHA-256
"6"   hashing-algorithm=SHA-512

The NT-hash scheme does not use a salt, and is not hard to break in.

File /etc/login.conf can be used to define the format:

passwd_format    string sha512

The encryption format that new or changed passwords will use. Valid values include "des", "md5", "blf", "sha256" and "sha512".

Solaris 11 standard hashes

"1"         hashing-algorithm=BSD-MD5
"2a"        hashing-algorithm=Blowfish
"MD5"       hashing-algorithm=SUN-MD5
"5"         hashing-algorithm=SHA-256
"6"         hashing-algorithm=SHA-512
"__unix__"  hashing-algorithm=SHA-512 (deprecated)

AIX standard hashes

File /etc/security/login.cfg, attribute pwd_algorithm defines default hash on AIX systems: crypt, which is the legacy crypt algorithm.

"crypt"    hashing-algorithm=DES

It can be changed to an algorithm listed in /etc/security/pwdalg.cfg file.

File /etc/security/pwdalg.cfg lists additional supported encryption algorithms. For AIX 7 the supported algorithms are:

"smd5"     hashing-algorithm=MD5
"ssha256"  hashing-algorithm=SHA-256

HP-UX standard hashes

"__unix__" hashing-algorithm=DES

HP-UX 11i v1 (11.11) and 11i v2 (11.23) do not support changing the encryption algorithm. To support changing the encryption algorithm on 11i v3 (11.31) systems, the Password Hash Infrastructure for HP-UX 11i v3 (PHI11i3) package must be installed (/etc/default/security, entry CRYPT_DEFAULT - default value is "__unix__"the legacy encryption algorithm). The only other supported value is 6, which implements an algorithm based on SHA-512. After adding this option, the following hashes are supported:

"6"        hashing-algorithm=SHA-512
"__unix__" hashing-algorithm=DES

Recommendations

Minimum recommended password hashing on Linux systems is SHA-512.

For different Linux distributions, one of following methods are used:

Run "authconfig --passalgo=sha512 --update"
Set "CRYPT=SHA512" in /etc/default/passwd
Modify "password" line in /etc/pam.d/common-password
Set "ENCRYPT_METHOD SHA512" in /etc/login.defs

To change the password hashing type on other Unices, follow the examples below.

On FreeBSD:

Edit /etc/login.conf

On AIX:

Edit /etc/security/login.cfg

On Solaris:

Edit /etc/security/policy.conf

On HP-UX 11i v3 (11.31) with Password Hash Infrastructure:

Edit /etc/default/security

Example of audit of pasword hashes for Linux systems

Linux-audit-account-password-hashing.pl