diff options
-rw-r--r-- | lib/libc/crypt/crypt.3 | 61 |
1 files changed, 56 insertions, 5 deletions
diff --git a/lib/libc/crypt/crypt.3 b/lib/libc/crypt/crypt.3 index 3e0e59287b3..19806bb7074 100644 --- a/lib/libc/crypt/crypt.3 +++ b/lib/libc/crypt/crypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: crypt.3,v 1.6 1997/03/31 02:38:44 deraadt Exp $ +.\" $OpenBSD: crypt.3,v 1.7 1997/11/05 11:44:49 provos Exp $ .\" .\" FreeSec: libcrypt .\" @@ -59,15 +59,19 @@ The function performs password encryption, based on the .Tn NBS Data Encryption Standard (DES). -Additional code has been added to deter key search attempts. +Additional code has been added to deter key search attempts and to use +stronger hashing algorithms. The first argument to .Fn crypt is a .Dv null Ns -terminated string, typically a user's typed password. -The second is in one of two forms: +The second is in one of three forms: if it begins with an underscore (``_'') then an extended format is used -in interpreting both the key and the setting, as outlined below. +in interpreting both the key and the setting, as outlined below. If it begins +with an string character (``$'') and a number then a different algorithm +is used depending on the number. At the moment a ``$1'' chooses MD5 hashing +and a ``$2'' chooses Blowfish hashing, see below for more information. .Ss Extended crypt: .Pp The @@ -88,6 +92,51 @@ This allows 24 bits for both .Fa count and .Fa salt . +.Ss "MD5" crypt: +.Pp +For +.Tn MD5 +crypt the version number, +.Fa salt +and the hashed password are separated +by the ``$'' character. A valid password looks like this: +.Pp +``$1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1''. +.Pp +The whole password string is passed as +.Fa setting +for interpretation. +.Ss "Blowfish" crypt: +.Pp +The +.Tn Blowfish +version of crypt has 128 bits of +.Fa salt +in order to make building +dictionaries of common passwords space consuming. The initial state +of the +.Tn Blowfish +cipher is expanded using the +.Fa salt +and the +.Fa password +repeating the process a variable number of rounds, which is encoded in +the password string. The final password entry is created by encrypting +the string ``OrpheanBeholderScryDoubt'' with the +.Tn Blowfish +state 64 times. +.Pp +The version number, the logarithm of the number of rounds and +the concatenation of salt and +hashed password are separated by the ``$'' character. An encoded ``8'' +would specify 64 rounds. +A valid password looks like this: +.Pp +``$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC''. +.Pp +The whole password string is passed as +.Fa setting +for interpretation. .Ss "Traditional" crypt: .Pp The first 8 bytes of the key are null-padded, and the low-order 7 bits of @@ -101,7 +150,7 @@ Thus only 12 bits of are used. .Fa count is set to 25. -.Ss Algorithm: +.Ss DES Algorithm: .Pp The .Fa salt @@ -210,7 +259,9 @@ functions all manipulate the same key space. .Sh SEE ALSO .Xr login 1 , .Xr passwd 1 , +.Xr blowfish 3 , .Xr getpass 3 , +.Xr md5 3 , .Xr passwd 5 .Sh BUGS The |