libxcrypt icon indicating copy to clipboard operation
libxcrypt copied to clipboard

Published 20 hours ago verified publisher icon besser82

Feature request: configurable policy for hash functions and cost parameters

Open zackw opened this issue 7 years ago • 1 comments

On Linux, glibc's libcrypt forbids the use of MD5 and DES password hashes if /proc/sys/crypto/fips_enabled exists and contains a positive integer. As I understand it, this was a kludge for a specific security certification that is no longer considered valuable, but it suggests a more general and useful feature: a configuration file (perhaps /etc/security/pwhash.conf) allowing the system administrator to forbid the use of some hash functions, and also to configure the options for hashes that have them.

A possible file format:

# As usual, comments begin with `#` and extend to the end of the line.
# Blank lines are ignored.
# New passwords are to be hashed in bcrypt-2b format with the default cost parameter
bcrypt-2b: yes

# SHA-2-512 is also acceptable.  Use 4096 rounds.
sha512: yes rounds=4096

# SHA-256 and older variants of bcrypt are acceptable but should be updated to a
# modern hash the next time the user logs in.
bcrypt-2a: old
bcrypt-2x: old
bcrypt-2y: old
sha256: old

# MD5 and DES hashes are no longer acceptable even for old accounts.
md5: no
des: no
bsdi: no
bigcrypt: no

crypt and crypt_gensalt would both fail with EPERM when offered a setting for a "no" hash; crypt_gensalt but not crypt would fail with EPERM when offered a setting for an "old" hash. (Actually auto-updating the password database is not our job, but perhaps we could coordinate with the PAM people to make it happen.)

zackw avatar May 19 '18 13:05 zackw

Not commenting on the feature nor on file format, but this reminded me: I suggest that we adopt the naming of these hashes that's currently used in password hash cracking. This means: descrypt, bsdicrypt, md5crypt, sha256crypt, sha512crypt. This would help avoid the usual confusion between DES (block cipher) and descrypt, and between MD5 (fast, non-salted non-password ex-cryptographic hash) and md5crypt, etc. We should adopt this naming not only in identifiers, but also in comments, documentation, etc. Do not write things like "MD5 and DES hashes", etc.

solardiz avatar Aug 30 '18 11:08 solardiz