bcrypt in Debian

WARNING: using method below will lock yourself out when using emergency console since whatever crypt it’s using surely doesn’t understand bcrypt (as I experienced myself). Additionally, this solution won’t add bcrypt support to other applications using crypt interface like proftpd unless it’s started by preloading libxcrypt.so first (also from my own experience).

As much as Drepper want to pretend bcrypt is wrong solution, it actually gives one benefit: ease of switch to Linux. Some systems use bcrypt by default or configurable to use it. On other case, there might be time where you need system’s (or applications using system’s) crypt to handle bcrypt passwords from external system (usually web applications).

It’s quite difficult to enable bcrypt support in RHEL based distro as there is no libxcrypt and pam_unix2 packages available. Thankfully it’s available in Debian (and derivatives) in package libpam-unix2.

The README.Debian says to modify files in /etc/pam.d but if I remember it correctly, it confused apt PAM handling system or whatever. Fast forward few weeks, I discovered a better way to use it by creating PAM configuration in /usr/share/pam-configs. Since it’s mostly equivalent to normal pam_unix, I just copy and modify the file using this (long-ass) oneliner sed:

sed -e 's/pam_unix.so/pam_unix2.so/g;s/^Name: Unix authentication$/Name: Unix2 authentication/;s/pam_unix2.so obscure sha512/pam_unix2.so obscure blowfish rounds=8/;s/ nullok_secure//' /usr/share/pam-configs/unix > /usr/share/pam-configs/unix2

Then execute pam-auth-update, select Unix2 authentication and deselect Unix authentication. Don’t forget to update passwords for all other users as well or they won’t be able to login since pam_unix2 doesn’t recognize sha based hashes.

Actually, change all other users password to use md5 first before replacing the PAM with pam_unix2.

Update 2012-04-01: Removed nullok_secure since it isn’t supported.

Update 2012-06-09: Added warning.

3 thoughts on “bcrypt in Debian

  1. Found your article by googling.  I just went through this process…  I wanted to enable bcrypt for my userland passwords, but I’m running Debian unstable (sid).  pam_unix2 says obscure, rounds, blowfish are all obsolete.  But even the warning message is incorrect.  It says you have to edit /etc/default/passwd, but in reality, you have to edit /etc/security/pam_unix2.default.

    The steps I did were:

    0. apt-get install libpam-unix2

    1. Created a /usr/share/pam-configs/unix2 (based on /usr/share/pam-configs/unix).  Changed “Unix authentication” to “Unix2 authentication”…and pam_unix.so references to pam_unix2.so.  Removed all references to nullok_secure, obscure, sha512, rounds.

    2. Edited /etc/security/pam_unix2.default.  Defined default to CRYPT=blowfish.

    3. Ran pam-auth-update and checked Unix2 authentication.  Unchecked Unix authentication.

    4. Reset all my passwords.

    Examine the /etc/shadow file and make sure your passwords now start with “$2a$” which indicates the blowfish hash was used.

    • Please ensure you can log in to emergency shell (recovery mode) before continuing to use this. Last time I tried, I locked out myself from my system and forced to use live cd. (or just disable root password requirement when using emergency shell, for example, by removing root password)

  2. Thanks, but incompatibility with sha hashes is a problem for me. I would have to break all my user’s current passwords first before switching to this!

Leave a Reply

Your email address will not be published. Required fields are marked *