Brief Summary of Standard Password Hashes on Unix and Linux Systems 2014

RHEL and CentOS 6.5, OpenSUSE 13.1, Ubuntu 14.04, Oracle Linux 6.5, FreeBSD 10, HP-UX 11i v3, Solaris 11

Dusan BaljevicSydney, Australia

Standard Password Hashes Unix and Linux Systems – May 2014

The following information is based on current versions of

operating systems:

RHEL and CentOS 6.5

OpenSUSE 13.1

Ubuntu 14.04

Oracle Linux 6.5

FreeBSD 10

HP-UX 11i v3

Solaris 11

Standard Password Hash ExampleContrary to popular belief, the account password entries in /etc/shadow can have more than three "$"-separators (hint: when one, for example, uses SHA-256 or SHA-512 hashing and non-default number of rounds).

On standard servers, three "$"-separated values in the second “:”-separated field are part of the user entry in /etc/shadow (line wrapped-around for readability):

someusr:$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.:0:99999:7:::on.:

The string of interest for further discussion:

$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.

Inside Hashed Password StringWhat is inside the password string $5$Salt$Hash from the previous slide:

$5 SHA-256 hashingSalt "Y4HhzEPz"Hash "mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon."

The extra "$"-separated field can exist when non-default number of rounds (see next slide) is implemented. Then we have, for example, $6$Rounds$Salt$Hash:

$6$rounds=85000$pA/kjrZS$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.

$6 SHA-512 hashing Rounds 85000 timesSalt "pA/kjrZS"Hash "wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi."

Rounds in Password Hashes

The security of existing hashing algorithms like MD5 can be increased.

It is done through process known as "rounds" - a parameter associated with almost every password hashing algorithm.

The process of increasing rounds is known as "Key Stretching“, by making a weak password more secure to brute-force attacks, through increasing the time needed to test each key.

For example, rounds=85000 means the system must compute 85000 hashes every time a user logs in. This imposes a restriction that an attacker has to compute 85000 hashes for each password they are trying to compromise against the hash in /etc/shadow. Therefore the attacker will be delayed by a factor of 85000. Most modern computers will take less that 1 second to compute 85000 hashes.

If there is no specification for the rounds option, the system will use the default value for the given algorithm.

Examples of Valid Password Hashes on Linux Systems*SHA-256 hashing:$5$Y4HhzEPz$mXSHm95E/4MQPp.3X4Km5R/ysct0WT45FzdX2mPkon.

SHA-512 hashing account with non-default rounds:$6$rounds=85000$pA/kjrZS$wo0980kwEuE28ER6moiaHzuDqO/VZMoxfvbXK1i/cW2BdJjI8xH/1WgD7RH7UaxM1SDLYsPtPgiMF9orb1Iwi.

SHA-512 hashing account:$6$zgpfWfGc$ACfCZLTLeJzLhiC1gyO0Bj5JlD337zAW.L25FpYz07QalwRQJYAJ8AIFL69PxK2XwoDehTLzPT64AsrMUsL1o0

MD5 hashing account:$1$6tAaCsfx$E2amS8ko4ks1lxz7izSL//

Blowfish hashing account:$2y$05$Z4taSkam70Vc9mMqtrAby25ixpstvJUf49gqzPtjhkscGgu4Zvd6c

Example of Password Hashes in Perl *

my %PWHASHARR = ( "1", "hashing-algorithm=MD5", "2a", "hashing-algorithm=Blowfish", "5", "hashing-algorithm=SHA-256", "6", "hashing-algorithm=SHA-512", );

Default string length (in characters) for encrypted part of the password string (third or fourth “$”-separated field in password hash in /etc/shadow):

my %PWLEN = ( "1", "22", "2a", "53", "5", "43", "6", "86", );

If DES is used (strongly discouraged!) the length is 13 characters.

If, for example SHA-512 is used, the encrypted part of password is, by default, 86 characters long in /etc/shadow

Linux Standard Hashes

In current Linux distributions, the following prefixes for hashes are standard:

"1" hashing-algorithm=BSD-MD5

"2a" hashing-algorithm=BSD-Blowfish

"2y" hashing-algorithm=BSD-Blowfish (SUSE)

"5" hashing-algorithm=SHA-256

"6" hashing-algorithm=SHA-512

"" hashing-algorithm=DES

"_" hashing-algorithm=Extended-BSDI-DES (SUSE)

FreeBSD Standard Hashes

In current FreeBSD 10 distributions, the following prefixes for hashes are standard:

"1" hashing-algorithm=MD5

"2" hashing-algorithm=Blowfish

"3" hashing-algorithm=NT-Hash

"4" (unused)

"5" hashing-algorithm=SHA-256

"6" hashing-algorithm=SHA-512

The NT-hash scheme does not use a salt, and is easy to exploit.

Solaris 11 Standard Hashes

In current Solaris distributions, the following prefixes for hashes are standard:

"1" hashing-algorithm=BSD-MD5

"2a" hashing-algorithm=Blowfish

“MD5" hashing-algorithm=SUN-MD5

"5" hashing-algorithm=SHA-256

"6" hashing-algorithm=SHA-512

"__unix__" hashing-algorithm=DES (deprecated)

AIX 7 Standard HashesIn current AIX distributions, the following prefixes for hashes are standard:

File /etc/security/login.cfg, attribute pwd_algorithm defines default hash on AIX systems: crypt, which is the legacy crypt algorithm.

"crypt" hashing-algorithm=DES

It can be changed to an algorithm listed in /etc/security/pwdalg.cfg file.

File /etc/security/pwdalg.cfg lists additional supported encryption algorithms. For AIX 7 the additional supported algorithms are:

"smd5" hashing-algorithm=MD5"ssha256" hashing-algorithm=SHA-256

HP-UX 11i v3 Standard Hashes

Default prefix for hash is:

"__unix__" hashing-algorithm=DES

HP-UX 11i v1 (11.11) and 11i v2 (11.23) do not support changing the encryption algorithm. To support changing the encryption algorithm on 11i v3 (11.31) systems, the Password Hash Infrastructure for HP-UX 11i v3 (PHI11i3) package must be installed (/etc/default/security, entry CRYPT_DEFAULT - default value is "__unix__“ the legacy encryption algorithm). The only other supported prefix is “6”, which implements an algorithm based on SHA-512:

"6" hashing-algorithm=SHA-512

HP-UX 11i v3 SHA-512 Restrictions• HP-UX PHI11i3 can be installed only on systems with

passwords stored in the /etc/shadow file.

• Supported with files, but not supported with other nameserver switch backends, such as NIS. To configure system to use only files, ensure that the passwd: line in /etc/nsswitch.conf contains only files.

• To use HP-UX PHI11i3 with SSH, must install HP-UX Secure Shell A.05.00.26 or later. Also, must set "UsePAM yes" in /etc/opt/ssh/sshd_config.

• To use the pcnfsd commands with HP-UX PHI11i3, must install ONCplus B.11.31.02 or later.

• Some third party applications may assume that password hashes are DES-based only. These applications would not function correctly with HP-UX PHI11i3.

Recommendations for Unix

Minimum recommended password hashing should be SHA-512 if supported by operating system.

To change the password hashing type, follow the examples below:

On FreeBSD edit /etc/login.conf

On AIX edit /etc/security/login.cfg

On Solaris edit /etc/security/policy.conf

On HP-UX 11i v3 (11.31) with Password Hash Infrastructure edit /etc/default/security

Recommendations for Linux

Minimum recommended password hashing should be SHA-512 if supported by operating system.

For different Linux systems, one of following methods is used (check the manuals for your distribution):

Run "authconfig --passalgo=sha512 --update“

Set "CRYPT=SHA512" in /etc/default/passwd

Modify "password" line in /etc/pam.d/common-password

Set "ENCRYPT_METHOD SHA512" in /etc/login.defs

How to Change Number of Rounds on RHEL, Debian, Ubuntu Distributions

Edit /etc/pam.d/passwd (like wrapped around for readability):

password required pam_unix.so sha512 shadow nullok rounds=85000

How to Change Number of Rounds on SUSE Distributions

Edit /etc/default/passwd

CRYPT=SHA512SHA512_CRYPT_FILES=85000

How to Change Number of Rounds on Solaris

Edit /etc/security/crypt.conf

md5 crypt_sunmd5.so.1 rounds=85000

6 crypt_sha512.so.1 rounds=23000

How to Change Number of Rounds on AIX

Edit /etc/security/pwdalg.cfg

sblowfish:lpa_module = /usr/lib/security/sblowfishlpa_options = cost_num=16

ssha256:lpa_module = /usr/lib/security/sshalpa_options = algorithm=sha256,cost_num=9,salt_len=24

In above case, when Blowfish algorithm used, number of rounds is entered as 2 ^ cost_num. For 65536 (2^16) rounds, specify the setting as 16.

The valid value of cost_num is an integer between 4 and 31, inclusive.

How to Change Number of Rounds on FreeBSD

Currently supported through a patch. Not yet part of mainstream release.

It adds a string to /etc/login.conf that is the first part of the crypt to use which will provide the number of rounds as well.

How to Change Number of Rounds on HP-UX

Not supported!

Interesting Problem to Think About – Part 1

To test security in its basic form, I modified the password hash by one character for a user on Ubuntu system. That made any future login session for a user invalid. I then verified if the standard tools detect any anomaly of the hash - they did not:

# passwd –Sa (or passwd –S username, depends on Linux distribution)

# pwck –r

# aureport (default Auditd configuration)

Therefore, it is strongly recommended to use more comprehensive auditing and host intrusion detection methods to prevent password file corruption or exploits.

For standard audits, the following link provides access to Perl script that runs various checks on Linux systems (similar can be used on other Unix-like O/S): http://www.circlingcycle.com.au/Unix-sources/Linux-audit-account-password-hashing.pl.txt

Interesting Problem to Think About – Part 2

Here is an extract from results of the Perl script that runs various checks on Linux systems. In this specific case, comparison between shadow file and its backup is executed: http://www.circlingcycle.com.au/Unix-sources/Linux-audit-account-password-hashing.pl.txt

…INFO: /etc/shadow differs from backup file /etc/shadow-INFO: Offending entries in /etc/shadow

root:$6$T7rwPnT7$3aEtdWD04XnIDuJ00jOF/ORzywzIuVMAP/.pJMzM/Ke0G99IvMZ/5zJ/kDL2wgzMWNPpeobQYG0Re5FBCoCTb.:16188:0:99999:7…

Future?

Many interesting projects are underway to improve security.

One of them is an open competition for password hashing algorithms, using the successful model of the previous competitions like AES, eSTREAM and SHA-3:

https://password-hashing.net/

Portfolio of "good algorithms" is to be obtained by mid-2015, according to the provisional timeline.

The submissions must include the following desired functionality:

Ability to transform an existing hash to a different cost setting without knowledge of the password

Thank You!

For other interesting summaries you are welcome to check Slideshare, or my own website: http://www.circlingcycle.com.au/

http://www.circlingcycle.com.au/Unix-sources/

http://www.circlingcycle.com.au/Unix-and-Linux-presentations/

Dusan Baljevic, May 2014