Brief summary of standard password hashes on Unix and Linux systems 2014
The following information is based on current versions of operating systems:
- RHEL and CentOS 6.5
- OpenSUSE 13.1
- Ubuntu 14.04
- Oracle Linux 6.5
- FreeBSD 10
- HP-UX 11i v3
- Solaris 11
Brief-summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-2014-by-Dusan-Baljevic
Contrary to popular belief, the account password entries in /etc/shadow can have more than three "$"-separators (hint: when one uses SHA-256|512 hashing and non-default number of rounds).
On standard servers, three "$"-separated values are part of the password string in /etc/shadow:
someuser:$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.: 0:99999:7:::Inside hashed password string
What is inside the password string $5$String1$String2:
$5 SHA-256 hashing String1 "Y4HhzEPz" salt String2 "mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon." hashed passwordThe extra "$"-separted field can exist when non-default number of rounds is implemented. Then we have, for example, $6$Rounds$String1$String2:
$6$rounds=85000 $pA/kjrZS$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/ 1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi. $6 SHA-512 hashing Rounds 85000 times String1 "pA/kjrZS" String2 "wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/ 1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi."Examples of valid password hashes on Linux servers
SHA-256 hashing: $5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon. SHA-512 hashing account with non-default rounds: $6$rounds=85000$pA/kjrZS $wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/ 1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi. SHA-512 hashing account: $6$zgpfWfGc $ACfCZLTLeJzLhiC1gyO0Bj5JlD337zAW.L25FpYz07QalwRQJYAJ 8AIFL69PxK2XwoDehTLzPT64AsrMUsL1o0 MD5 hashing account: $1$6tAaCsfx$E2amS8ko4ks1lxz7izSL// Blowfish hashing account: $2y$05$Z4taSkam70Vc9mMqtrAby25ixpstvJUf49gqzPtjhkscGgu4Zvd6cLinux standard hashes
In current Linux distributions, the following prefixes for hashes are standard:
"1" hashing-algorithm=BSD-MD5 "2a" hashing-algorithm=BSD-Blowfish "2y" hashing-algorithm=BSD-Blowfish (SUSE) "5" hashing-algorithm=SHA-256 "6" hashing-algorithm=SHA-512 "" hashing-algorithm=DES "_" hashing-algorithm=Extended-BSDI-DES (SUSE)FreeBSD 10 standard hashes
The following prefixes for hashes are standard:
"1" hashing-algorithm=MD5 "2" hashing-algorithm=Blowfish "3" hashing-algorithm=NT-Hash "4" (unused) "5" hashing-algorithm=SHA-256 "6" hashing-algorithm=SHA-512The NT-hash scheme does not use a salt, and is not hard to break in.
File /etc/login.conf can be used to define the format:
passwd_format string sha512The encryption format that new or changed passwords will use. Valid values include "des", "md5", "blf", "sha256" and "sha512".
Solaris 11 standard hashes
"1" hashing-algorithm=BSD-MD5 "2a" hashing-algorithm=Blowfish "MD5" hashing-algorithm=SUN-MD5 "5" hashing-algorithm=SHA-256 "6" hashing-algorithm=SHA-512 "__unix__" hashing-algorithm=SHA-512 (deprecated)AIX standard hashes
File /etc/security/login.cfg, attribute pwd_algorithm defines default hash on AIX systems: crypt, which is the legacy crypt algorithm.
"crypt" hashing-algorithm=DESIt can be changed to an algorithm listed in /etc/security/pwdalg.cfg file.
File /etc/security/pwdalg.cfg lists additional supported encryption algorithms. For AIX 7 the supported algorithms are:
"smd5" hashing-algorithm=MD5 "ssha256" hashing-algorithm=SHA-256HP-UX standard hashes
"__unix__" hashing-algorithm=DESHP-UX 11i v1 (11.11) and 11i v2 (11.23) do not support changing the encryption algorithm. To support changing the encryption algorithm on 11i v3 (11.31) systems, the Password Hash Infrastructure for HP-UX 11i v3 (PHI11i3) package must be installed (/etc/default/security, entry CRYPT_DEFAULT - default value is "__unix__"the legacy encryption algorithm). The only other supported value is 6, which implements an algorithm based on SHA-512. After adding this option, the following hashes are supported:
"6" hashing-algorithm=SHA-512 "__unix__" hashing-algorithm=DESRecommendations
Minimum recommended password hashing on Linux systems is SHA-512.
For different Linux distributions, one of following methods are used:
Run "authconfig --passalgo=sha512 --update" Set "CRYPT=SHA512" in /etc/default/passwd Modify "password" line in /etc/pam.d/common-password Set "ENCRYPT_METHOD SHA512" in /etc/login.defsTo change the password hashing type on other Unices, follow the examples below.
On FreeBSD:
Edit /etc/login.confOn AIX:
Edit /etc/security/login.cfgOn Solaris:
Edit /etc/security/policy.confOn HP-UX 11i v3 (11.31) with Password Hash Infrastructure:
Edit /etc/default/securityExample of audit of pasword hashes for Linux systems