1. Brief Summary of Standard
Password Hashes on Unix and
Linux Systems 2014
RHEL and CentOS 6.5, OpenSUSE 13.1, Ubuntu 14.04, Oracle Linux 6.5,
FreeBSD10, HP-UX11i v3, Solaris 11
Dusan Baljevic
Sydney, Australia
2. Standard Password Hashes Unix and
Linux Systems – May 2014
The following information is based on current versions of
operating systems:
RHEL and CentOS 6.5
OpenSUSE 13.1
Ubuntu 14.04
Oracle Linux 6.5
FreeBSD 10
HP-UX 11i v3
Solaris 11
3. Standard Password Hash Example
Contrary to popular belief, the account password entries in /etc/shadow can have
more than three "$"-separators (hint: when one, for example, uses SHA-256 or SHA-
512 hashing and non-default number of rounds).
On standard servers, three "$"-separated values in the second “:”-separated field
are part of the user entry in /etc/shadow (line wrapped-around for readability):
someusr:$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.:
0:99999:7:::on.:
The string of interest for further discussion:
$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.
4. Inside Hashed Password String
What is inside the password string $5$Salt$Hash from the previous slide:
$5 SHA-256 hashing
Salt "Y4HhzEPz"
Hash "mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon."
The extra "$"-separated field can exist when non-default number of rounds (see next
slide) is implemented. Then we have, for example, $6$Rounds$Salt$Hash:
$6$rounds=85000
$pA/kjrZS$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.
$6 SHA-512 hashing
Rounds 85000 times
Salt "pA/kjrZS"
Hash "wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi."
5. Rounds in Password Hashes
The security of existing hashing algorithms like MD5 can be increased.
It is done through process known as "rounds" - a parameter associated with almost
every password hashing algorithm.
The process of increasing rounds is known as "Key Stretching“, by making a weak
password more secure to brute-force attacks, through increasing the time needed to
test each key.
For example, rounds=85000 means the system must compute 85000 hashes every
time a user logs in. This imposes a restriction that an attacker has to compute 85000
hashes for each password they are trying to compromise against the hash in
/etc/shadow. Therefore the attacker will be delayed by a factor of 85000. Most
modern computers will take less that 1 second to compute 85000 hashes.
If there is no specification for the rounds option, the system will use the default value
for the given algorithm.
6. Examples of Valid Password Hashes on
Linux Systems*
SHA-256 hashing:
$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.
SHA-512 hashing account with non-default rounds:
$6$rounds=85000$pA/kjrZS
$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/
1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.
SHA-512 hashing account:
$6$zgpfWfGc
$ACfCZLTLeJzLhiC1gyO0Bj5JlD337zAW.L25FpYz07QalwRQJYAJ
8AIFL69PxK2XwoDehTLzPT64AsrMUsL1o0
MD5 hashing account:
$1$6tAaCsfx$E2amS8ko4ks1lxz7izSL//
Blowfish hashing account:
$2y$05$Z4taSkam70Vc9mMqtrAby25ixpstvJUf49gqzPtjhkscGgu4Zvd6c
7. Example of Password Hashes in Perl *
my %PWHASHARR = ( "1", "hashing-algorithm=MD5",
"2a", "hashing-algorithm=Blowfish",
"5", "hashing-algorithm=SHA-256",
"6", "hashing-algorithm=SHA-512",
);
Default string length (in characters) for encrypted part of the password string (third
or fourth “$”-separated field in password hash in /etc/shadow):
my %PWLEN = ( "1", "22",
"2a", "53",
"5", "43",
"6", "86",
);
If DES is used (strongly discouraged!) the length is 13 characters.
If, for example SHA-512 is used, the encrypted part of password is, by default, 86
characters long in /etc/shadow
8. Linux Standard Hashes
In current Linux distributions, the following prefixes for hashes are standard:
"1" hashing-algorithm=BSD-MD5
"2a" hashing-algorithm=BSD-Blowfish
"2y" hashing-algorithm=BSD-Blowfish (SUSE)
"5" hashing-algorithm=SHA-256
"6" hashing-algorithm=SHA-512
"" hashing-algorithm=DES
"_" hashing-algorithm=Extended-BSDI-DES (SUSE)
9. FreeBSD Standard Hashes
In current FreeBSD 10 distributions, the following prefixes for
hashes are standard:
"1" hashing-algorithm=MD5
"2" hashing-algorithm=Blowfish
"3" hashing-algorithm=NT-Hash
"4" (unused)
"5" hashing-algorithm=SHA-256
"6" hashing-algorithm=SHA-512
The NT-hash scheme does not use a salt, and is easy to exploit.
10. Solaris 11 Standard Hashes
In current Solaris distributions, the following prefixes for
hashes are standard:
"1" hashing-algorithm=BSD-MD5
"2a" hashing-algorithm=Blowfish
“MD5" hashing-algorithm=SUN-MD5
"5" hashing-algorithm=SHA-256
"6" hashing-algorithm=SHA-512
"__unix__" hashing-algorithm=DES (deprecated)
11. AIX 7 Standard Hashes
In current AIX distributions, the following prefixes for hashes are
standard:
File /etc/security/login.cfg, attribute pwd_algorithm defines default
hash on AIX systems: crypt, which is the legacy crypt algorithm.
"crypt" hashing-algorithm=DES
It can be changed to an algorithm listed in /etc/security/pwdalg.cfg
file.
File /etc/security/pwdalg.cfg lists additional supported encryption
algorithms. For AIX 7 the additional supported algorithms are:
"smd5" hashing-algorithm=MD5
"ssha256" hashing-algorithm=SHA-256
12. HP-UX 11i v3 Standard Hashes
Default prefix for hash is:
"__unix__" hashing-algorithm=DES
HP-UX 11i v1 (11.11) and 11i v2 (11.23) do not support changing the
encryption algorithm. To support changing the encryption algorithm
on 11i v3 (11.31) systems, the Password Hash Infrastructure for HP-
UX 11i v3 (PHI11i3) package must be installed (/etc/default/security,
entry CRYPT_DEFAULT - default value is "__unix__“ the legacy
encryption algorithm). The only other supported prefix is “6”, which
implements an algorithm based on SHA-512:
"6" hashing-algorithm=SHA-512
13. HP-UX 11i v3 SHA-512 Restrictions
• HP-UX PHI11i3 can be installed only on systems with passwords
stored in the /etc/shadow file.
• Supported with files, but not supported with other nameserver switch
backends, such as NIS. To configure system to use only files, ensure
that the passwd: line in /etc/nsswitch.conf contains only files.
• To use HP-UX PHI11i3 with SSH, must install HP-UX Secure Shell
A.05.00.26 or later. Also, must set "UsePAM yes" in
/etc/opt/ssh/sshd_config.
• To use the pcnfsd commands with HP-UX PHI11i3, must install
ONCplus B.11.31.02 or later.
• Some third party applications may assume that password hashes are
DES-based only. These applications would not function correctly with
HP-UX PHI11i3.
14. Recommendations forUnix
Minimum recommended password hashing should be SHA-512 if
supported by operating system.
To change the password hashing type, follow the examples below:
On FreeBSD edit /etc/login.conf
On AIX edit /etc/security/login.cfg
On Solaris edit /etc/security/policy.conf
On HP-UX 11i v3 (11.31) with Password Hash Infrastructure edit
/etc/default/security
15. Recommendations forLinux
Minimum recommended password hashing should be SHA-512 if
supported by operating system.
For different Linux systems, one of following methods is used (check
the manuals for your distribution):
Run "authconfig --passalgo=sha512 --update“
Set "CRYPT=SHA512" in /etc/default/passwd
Modify "password" line in /etc/pam.d/common-password
Set "ENCRYPT_METHOD SHA512" in /etc/login.defs
16. How to Change Numberof Rounds on
RHEL, Debian, Ubuntu Distributions
Edit /etc/pam.d/passwd (like wrapped around for readability):
password required pam_unix.so sha512 shadow
nullok rounds=85000
17. How to Change Numberof Rounds on
SUSE Distributions
Edit /etc/default/passwd
CRYPT=SHA512
SHA512_CRYPT_FILES=85000
18. How to Change Numberof Rounds on
Solaris
Edit /etc/security/crypt.conf
md5 crypt_sunmd5.so.1 rounds=85000
6 crypt_sha512.so.1 rounds=23000
19. How to Change Numberof Rounds on AIX
Edit /etc/security/pwdalg.cfg
sblowfish:
lpa_module = /usr/lib/security/sblowfish
lpa_options = cost_num=16
ssha256:
lpa_module = /usr/lib/security/ssha
lpa_options = algorithm=sha256,cost_num=9,salt_len=24
In above case, when Blowfish algorithm used, number of rounds is entered
as 2 ^ cost_num. For 65536 (2^16) rounds, specify the setting as 16.
The valid value of cost_num is an integer between 4 and 31, inclusive.
20. How to Change Numberof Rounds on
FreeBSD
Currently supported through a patch. Not yet part of
mainstream release.
It adds a string to /etc/login.conf that is the first part of the crypt
to use which will provide the number of rounds as well.
21. How to Change Numberof Rounds on HP-
UX
Not supported!
22. Interesting Problemto ThinkAbout –
Part 1
To test security in its basic form, I modified the password hash by one character for
a user on Ubuntu system. That made any future login session for a user invalid. I
then verified if the standard tools detect any anomaly of the hash - they did not:
# passwd –Sa (or passwd –S username, depends on Linux distribution)
# pwck –r
# aureport (default Auditd configuration)
Therefore, it is strongly recommended to use more comprehensive auditing and
host intrusion detection methods to prevent password file corruption orexploits.
For standard audits, the following link provides access to Perl script that runs
various checks on Linux systems (similar can be used on other Unix-like O/S):
http://www.circlingcycle.com.au/Unix-sources/Linux-audit-account-password-
hashing.pl.txt
23. Interesting Problemto ThinkAbout –
Part 2
Here is an extract from results of the Perl script that runs various checks on
Linux systems. In this specific case, comparison between shadow file and
its backup is executed:
http://www.circlingcycle.com.au/Unix-sources/Linux-audit-account-
password-hashing.pl.txt
…
INFO: /etc/shadow differs from backup file /etc/shadow-
INFO: Offending entries in /etc/shadow
root:
$6$T7rwPnT7$3aEtdWD04XnIDuJ00jOF/ORzywzIuVMAP/.pJMzM/Ke0G9
9IvMZ/5zJ/kDL2wgzMWNPpeobQYG0Re5FBCoCTb.:16188:0:99999:7
…
24. Future?
Many interesting projects are underway to improve security.
One of them is an open competition for password hashing
algorithms, using the successful model of the previous competitions
like AES, eSTREAM and SHA-3:
https://password-hashing.net/
Portfolio of "good algorithms" is to be obtained by mid-2015,
according to the provisional timeline.
The submissions must include the following desired functionality:
Ability to transform an existing hash to a different cost setting without
knowledge of the password
25. Thank You!
For other interesting summaries you are welcome to check
Slideshare, or my own website:
http://www.circlingcycle.com.au/
http://www.circlingcycle.com.au/Unix-sources/
http://www.circlingcycle.com.au/Unix-and-Linux-presentations/
Dusan Baljevic, May 2014
Notas do Editor
* Lines wrapped for readability
* Taken from Linux systems, string lengths apply to other operating systems too