Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cdbff23301
NetBSD/share/man/man5/passwd.conf.5
sjg 3a0c68edfd Add support for SHA1 hashed passwords. 
The algorithm used is essentially PBKDF1 from RFC 2898 but using
hmac_sha1 rather than SHA1 directly (suggested by smb@research.att.com).

 * The format of the encrypted password is:
 * $<tag>$<iterations>$<salt>$<digest>
 *
 * where:
 *      <tag>           is "sha1"
 *      <iterations>    is an unsigned int identifying how many rounds
 *                      have been applied to <digest>.  The number
 *                      should vary slightly for each password to make
 *                      it harder to generate a dictionary of
 *                      pre-computed hashes.  See crypt_sha1_iterations.
 *      <salt>          up to 64 bytes of random data, 8 bytes is
 *                      currently considered more than enough.
 *      <digest>        the hashed password.

hmac.c implementes HMAC as defined in RFC 2104 and includes a unit
test for both hmac_sha1 and hmac_sha1 using a selection of the Known
Answer Tests from RFC 2202.

It is worth noting that to be FIPS compliant the hmac key (password)
should be 10-20 chars.
2004-07-02 00:05:23 +00:00

109 lines
3.4 KiB
Groff
Raw Blame History

.\" $NetBSD: passwd.conf.5,v 1.7 2004/07/02 00:05:23 sjg Exp $
.\"
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Niels Provos.
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd June 30, 2000
.Dt PASSWD.CONF 5
.Os
.Sh NAME
.Nm passwd.conf
.Nd password encryption configuration file
.Sh SYNOPSIS
.Nm
.Sh DESCRIPTION
The
.Pa /etc/passwd.conf
file, consisting of
.Dq stanzas ,
describes the configuration of the password cipher used
to encrypt local or YP passwords.
.Pp
There are default, user and group specific stanzas.
If no user or group
stanza to a specific option is available, the default stanza
is used.
.Pp
To differentiate between user and group stanzas, groups are prefixed
with a single colon
.Pq Sq \&: .
.Pp
Some fields and their possible values that can appear in this file are:
.Bl -tag -width localcipher
.It Sy localcipher
The cipher to use for local passwords.
Possible values are:
.Dq old ,
.Dq newsalt,\*[Lt]rounds\*[Gt] ,
.Dq md5 ,
.Dq sha1,\*[Lt]rounds\*[Gt] ,
and
.Dq blowfish,\*[Lt]rounds\*[Gt] .
For
.Dq newsalt
the value of rounds is a 24-bit integer with a minimum of 7250 rounds.
For
.Dq sha1
the value of rounds is a 32-bit integer, 0 means use the default
of 24680.
For
.Dq blowfish
the value can be between 4 and 31.
It specifies the base 2 logarithm of the number of rounds.
.It Sy ypcipher
The cipher to use for YP passwords.
The possible values are the same as for localcipher.
.El
.Pp
To retrieve information from this file use
.Xr pw_getconf 3 .
.Sh FILES
.Bl -tag -width /etc/passwd.conf -compact
.It Pa /etc/passwd.conf
.El
.Sh EXAMPLES
Use MD5 as the local cipher and old-style DES as the YP cipher.
Use blowfish with 2^5 rounds for root:
.Bd -literal
default:
localcipher = md5
ypcipher = old
root:
localcipher = blowfish,5
.Ed
.Sh SEE ALSO
.Xr passwd 1 ,
.Xr pw_getconf 3 ,
.Xr passwd 5
.Sh HISTORY
The
.Nm
configuration file first appeared in
.Nx 1.6 .
Reference in New Issue View Git Blame Copy Permalink