HP-UX Password Hashing Infrastructure B.11.23.01 Release Notes, Ed. E002

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

1.4 HP-UX PHI Documentation

Use the following documents in conjunction with each other when using HP-UX PHI B.11.23.01:

• HP-UX PHI B.11.23.01 Release Notes

• security(4)

These documents are located at:

http://docs.hp.com

1.5 HP-UX PHI Manpages

HP-UX PHI includes a new manpage crypt2(3C) that describes four new crypt functions. The

four crypt functions are enhancements to the legacy crypt function (see crypt(3C)). They are

backward compatible with crypt and provide the option to use an alternative password hash

algorithm, as configured by the attributes CRYPT_DEFAULT and

CRYPT_ALGORITHMS_DEPRECATE described in security(4).

Table 1-1 lists and briefly describes the HP-UX PHI crypt functions:

Table 1-1 HP-UX PHI Functions

DescriptionFunction

Derives both the password hash algorithm and salt from oldhash. It then

applies the algorithm to the salt and to the string key. If the resulting hash

string matches oldhash, then the function returns 1, otherwise it returns 0.

crypt2_passwd_match(key,

oldhash, username)

Computes a random salt suitable for username and compatible with the hash

algorithm encoded in oldhash. The function then applies the algorithm to the

newly constructed salt and to the string key. Upon success, the resulting hash

string is returned. Upon failure, a pointer to * is returned.

crypt2_passwd_hash(key,

oldhash, username)

Computes a random salt suitable for username and compatible with the hash

algorithm encoded in oldhash. If oldhash corresponds to a hash algorithm

that is compliant with the current password hash policies, the function returns

a new salt suitable for that algorithm. Otherwise, if the original algorithm is

not acceptable, the function returns a salt that corresponds to the default hash

algorithm. Setting oldhash to aa requests a DES-compatible salt. Setting

oldhash to $6$ requests a SHA-512-compatible salt. If the name of the user

is not available when an application calls crypt2_passwd_salt, the username

should be set to "". This prompts the function to bypass any checks for per-user

policies and to apply only the system-wide security policies.

crypt2_passwd_salt(oldhash,

username)

Derives both the password algorithm and salt from saltstring. It then

applies the algorithm to the salt and to the string key, and returns the resulting

hash string. Unlike crypt2_passwd_hash, the crypt2 function makes no

checks to the appropriateness of the hash algorithm or salt. It is recommended

that saltstring be the result of a prior call to crypt2_passwd_salt.

crypt2(key, saltstring)

NOTE: The crypt2, crypt2_passwd_salt, and crypt2_passwd_hash functions return

a pointer allocated by the functions themselves. The caller is responsible for calling free to

deallocate this memory space.

Even though the username argument is ignored, it still must be provided in calls to

crypt2_passwd_match, crypt2_passwd_hash, and crypt2_passwd_salt.

The PHI functionality (for example, the password hash policies) is only enforced at the

system-wide level using CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE in the

/etc/default/security file.

NOTE: Enforcement of user-specific policies is not implemented yet.

Table 1-2 lists and briefly describes the HP-UX PHI attributes:

6 HP-UX Password Hashing Infrastructure B.11.23.01