DES to MD5 (mini)HOWTO

V.0.2

If there are any questions or comments, please direct them to
walt@erudition.net. The newest copy of this HowTo can always be retrieved
from www.freebsd-howto.com. All rights for the reproduction of this
document are reserved.

Summary.

This mini-HowTo will quickly discuss the FreeBSD system encryption
libraries and how to switch between DES and MD5 encryption schemes in
2.2.8, 3.x, and 4.x FreeBSD systems.

Background.

The FreeBSD system, by default, makes use of the MD5 encryption
scheme for passwords because of no export restriction. In addition, MD5 is
more secure than DES, which is mostly useful for backwards compatibility
where password files must be shared with other UNIX systems also using
DES.

For FreeBSD up to 4.3

One can easily determine which encryption scheme is being used by
checking what libraries the libcrypt[._]* links in /usr/lib are linked
against. If they are linked against libscrypt* libraries, then MD5 is
being used, and if they are linked against libdescrypt* then DES is being
used. For instance, the follows lines indicate the system they are from
uses MD5 as its password encryption scheme:

(lasker@nu)/usr/lib>% ls -l libcrypt[._]*
lrwxr-xr-x  1 root  wheel       11 Jun  9 06:18 /usr/lib/libcrypt.a@ ->
libscrypt.a
lrwxr-xr-x  1 root  wheel       12 Jun  9 06:19 /usr/lib/libcrypt.so@ ->
libscrypt.so
lrwxr-xr-x  1 root  wheel       14 Jun  9 06:21 /usr/lib/libcrypt.so.2@ ->
libscrypt.so.2
lrwxr-xr-x  1 root  wheel       13 Jun  9 06:22 /usr/lib/libcrypt_p.a@ ->
libscrypt_p.a
(lasker@nu)/usr/lib>%

Switching Libraries.

It is strongly recommended that the MD5 libraries be used instead
of DES whenever possible. As such, it may be necessary to switch libraries
if one has installed a system with DES encryption. This can be easily
accomplished by deleting the libcrypt[._]* links and recreating them by
linking them against the appropriate libraries, which are, simply,
libraries with the same name except with an 's' where there is 'des' in
each of their names. Following is a convenient table for sorting out the
encryption libraries:

	Links			DES			MD5
	-----			---			---

	libcrypt.a		libdescrypt.a		libscrypt.a
	libcrypt.so		libdescrypt.so		libscrypt.so
	libcrypt.so.2		libdescrypt.so.2	libscrypt.so.2
	libcrypt_p.a		libdescrypt_p.a		libscrypt_p.a

For FreeBSD 4.4

With FreeBSD 4.4, the method for controlling whether DES or MD5 is
used has changed. Now, things are much simpler. The encryption scheme is now
controlled from within login.conf, with the capability named "passwd_format"
and it is by default set to MD5. To change to DES, simply change the value
to "des" from "md5".

Compatibility.

A system using DES can still authenticate passwords encrypted in
MD5 as the MD5 hash is used in DES, however, not the other way around. One
can quickly check how a password has been encrypted by looking into
/etc/master.passwd. MD5 passwords are twice as long as DES passwords and
invariably begin with the string "$1$". For this, MD5 and DES passwords
can be easily identified. If one has a mixed batch of passwords encrypted
with both schemes it may be better to stay with the DES encryption
libraries, unless one can unproblematically re-encrypt all passwords in
the MD5 scheme.

Appendix.

	man 9 MD5
	man 1 bdes
	man 1 md5
	man login.conf




Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
omega replica watches