HP-UX Password Hashing Infrastructure B.11.23.01 Release Notes, Ed. E001

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

backward compatible with crypt and provide the option to use an alternative password hash

algorithm, as configured by the attributes CRYPT_DEFAULT and

CRYPT_ALGORITHMS_DEPRECATE described in security(4).

Table 1-1 lists and briefly describes the HP-UX PHI crypt functions:

Table 1-1 HP-UX PHI Functions

DescriptionFunction

Derives both the password hash algorithm and salt from oldhash. It then

applies the algorithm to the salt and to the string key. If the resulting hash

string matches oldhash, then the function returns 1, otherwise it returns 0.

crypt2_passwd_match(key,

oldhash, username)

Computes a random salt suitable for username and compatible with the hash

algorithm encoded in oldhash. The function then applies the algorithm to the

newly constructed salt and to the string key. Upon success, the resulting hash

string is returned. Upon failure, a pointer to * is returned.

crypt2_passwd_hash(key,

oldhash, username)

Computes a random salt suitable for username and compatible with the hash

algorithm encoded in oldhash. If oldhash corresponds to a hash algorithm

that is compliant with the current password hash policies, the function returns

a new salt suitable for that algorithm. Otherwise, if the original algorithm is

not acceptable, the function returns a salt that corresponds to the default hash

algorithm. Setting oldhash to aa requests a DES-compatible salt. Setting

oldhash to $6$ requests a SHA-512-compatible salt. If the name of the user

is not available when an application calls crypt2_passwd_salt, the username

should be set to "". This prompts the function to bypass any checks for per-user

policies and to apply only the system-wide security policies.

crypt2_passwd_salt(oldhash,

username)

Derives both the password algorithm and salt from saltstring. It then

applies the algorithm to the salt and to the string key, and returns the resulting

hash string. Unlike crypt2_passwd_hash, the crypt2 function makes no

checks to the appropriateness of the hash algorithm or salt. It is recommended

that saltstring be the result of a prior call to crypt2_passwd_salt.

crypt2(key, saltstring)

NOTE: The crypt2, crypt2_passwd_salt, and crypt2_passwd_hash functions return

a pointer allocated by the functions themselves. The caller is responsible for calling free to

deallocate this memory space.

Even though the username argument is ignored, it still must be provided in calls to

crypt2_passwd_match, crypt2_passwd_hash, and crypt2_passwd_salt.

The PHI functionality (for example, the password hash policies) is only enforced at the

system-wide level using CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE in the

/etc/default/security file.

NOTE: Enforcement of user-specific policies is not implemented yet.

Table 1-2 lists and briefly describes the HP-UX PHI attributes:

Table 1-2 HP-UX PHI Attributes

DescriptionAttribute

Specifies the default password hash algorithm. It is used when a new

user password is created, and either the user did not have a password

before or the old password was hashed with a deprecated algorithm

(listed in CRYPT_ALGORITHMS_DEPRECATE). The value of

CRYPT_DEFAULT should not be present in

CRYPT_ALGORITHMS_DEPRECATE. This attribute is only valid when

the PHI product is installed.

CRYPT_DEFAULT

Lists the password hash algorithms that must be deprecated when a

user's password is changed. This attribute is only valid when the PHI

product is installed.

CRYPT_ALGORITHMS_DEPRECATE

6 HP-UX Password Hashing Infrastructure B.11.23.01