Blowfish passwords
From ArchWiki
Contents |
Blowfish encrypted passwords
Important note!
Use this if you really want to use blowfish. If you still want security you will probably want to use another cipher as SHA which is supported directly in glibc.
Why use blowfish instead of the others?
It's simple – blowfish is more secure than commonly used md5 algorithm. Why? md5 suffers from collisions. It means that it's possible to find some string which has exactly the same md5sum as, let's say, your password. Also there is DES, which is deprecated more than ten years, because it falls to brute force attacks due to its short 56-bit key.
Needed packages
- libxcrypt from AUR
Preparation
You must download libxcrypt PKGBUILD and build it. That's because libcrypt from glibc only supports md5 and DES algorithms, which we don't want.
Now, you have to rebuild pam with new libxcrypt. We'll use ABS. Run (make sure you have csup or cvsup installed)
abs
If this is first run of ABS it may take a while. So now we have complete abs tree. Let's copy needed files to local tree and make it:
cp -a /var/abs/core/base/pam /var/abs/local/pam cd /var/abs/local/pam makepkg
Now, you have your own pam package which is linked against libxcrypt. Install it.
Setting up
Once you have everything installed you have to setup PAM. First, log-in as root:
su type your password
Standard (and default) way to handle passwords is done via pam_unix.so, but this module doesn't support blowfish passwords. So we will change every use of pam_unix.so to pam_unix2.so.
sed -i 's/pam_unix.so/pam_unix2.so/g' /etc/pam.d/*
Now if you try to change your password, it will be still in md5. We have to also change the md5 in pam to blowfish:
sed -i 's/md5/blowfish/g' /etc/pam.d/*
NOTE: I don't know if the next step is necessary
Open the /etc/default/passwd and replace:
CRYPT=md5
with:
CRYPT=blowfish
There is only one thing to do. Change your passwords, because passwords in /etc/shadow are still in md5 or whatever. Simply run
passwd
and type your password.
Check it!
If you want to check if everything goes fine, take a look to /etc/shadow and see how the hash looks like
- starts with alphanumeric characters and is 13 characters long – password is encrypted with DES
- starts with $1$ – password is encrypted with md5
- starts with $2$ – password is encrypted with blowfish
Upgrade problems
If you can't login after upgrade, it's probably because files in /etc/pam.d were changed. You will have to make changes in /etc/pam.d again:
sed -i 's/pam_unix.so/pam_unix2.so/g' /etc/pam.d/* sed -i 's/md5/blowfish/g' /etc/pam.d/*
The other problem is ldconfig. So if your system broke after running pacman (which internally calls ldconfig), you should use:
alias ldconfig='ldconfig -l'
or make small wrapper script for ldconfig containing
#!/bin/sh /sbin/ldconfig.orig ln -sf /lib/libxcrypt.so.1 /lib/libcrypt.so.1
then rename original ldconfig:
mv /sbin/ldconfig /sbin/ldconfig.orig
and replace it with your script:
mv your_script /sbin/ldconfig && chmod 755 /sbin/ldconfig