Blowfish passwords

From ArchWiki

Jump to: navigation, search


Contents

Blowfish encrypted passwords

Important note!

Use this if you really want to use blowfish. If you still want security you will probably want to use another cipher as SHA which is supported directly in glibc.

Why use blowfish instead of the others?

It's simple – blowfish is more secure than commonly used md5 algorithm. Why? md5 suffers from collisions. It means that it's possible to find some string which has exactly the same md5sum as, let's say, your password. Also there is DES, which is deprecated more than ten years, because it falls to brute force attacks due to its short 56-bit key.

Needed packages

Preparation

You must download libxcrypt PKGBUILD and build it. That's because libcrypt from glibc only supports md5 and DES algorithms, which we don't want.

Now, you have to rebuild pam with new libxcrypt. We'll use ABS. Run (make sure you have csup or cvsup installed)

abs

If this is first run of ABS it may take a while. So now we have complete abs tree. Let's copy needed files to local tree and make it:

cp -a /var/abs/core/base/pam /var/abs/local/pam
cd /var/abs/local/pam
makepkg

Now, you have your own pam package which is linked against libxcrypt. Install it.

Setting up

Once you have everything installed you have to setup PAM. First, log-in as root:

su
type your password

Standard (and default) way to handle passwords is done via pam_unix.so, but this module doesn't support blowfish passwords. So we will change every use of pam_unix.so to pam_unix2.so.

sed -i 's/pam_unix.so/pam_unix2.so/g' /etc/pam.d/*

Now if you try to change your password, it will be still in md5. We have to also change the md5 in pam to blowfish:

sed -i 's/md5/blowfish/g' /etc/pam.d/*

NOTE: I don't know if the next step is necessary

Open the /etc/default/passwd and replace:

CRYPT=md5

with:

CRYPT=blowfish

There is only one thing to do. Change your passwords, because passwords in /etc/shadow are still in md5 or whatever. Simply run

passwd

and type your password.

Check it!

If you want to check if everything goes fine, take a look to /etc/shadow and see how the hash looks like

  • starts with alphanumeric characters and is 13 characters long – password is encrypted with DES
  • starts with $1$ – password is encrypted with md5
  • starts with $2$ – password is encrypted with blowfish

Upgrade problems

If you can't login after upgrade, it's probably because files in /etc/pam.d were changed. You will have to make changes in /etc/pam.d again:

sed -i 's/pam_unix.so/pam_unix2.so/g' /etc/pam.d/*
sed -i 's/md5/blowfish/g' /etc/pam.d/*

The other problem is ldconfig. So if your system broke after running pacman (which internally calls ldconfig), you should use:

alias ldconfig='ldconfig -l'

or make small wrapper script for ldconfig containing

#!/bin/sh
/sbin/ldconfig.orig
ln -sf /lib/libxcrypt.so.1 /lib/libcrypt.so.1

then rename original ldconfig:

mv /sbin/ldconfig /sbin/ldconfig.orig

and replace it with your script:

mv your_script /sbin/ldconfig && chmod 755 /sbin/ldconfig
Personal tools