HP-UX Password Hashing Infrastructure B.11.23.01 Release Notes

HP Part Number: 5992-4060 Published: January 2008 Edition: E001

© Copyright 2001–2008 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Table of Contents 1 HP-UX Password Hashing Infrastructure B.11.23.01.....................................................5 1.1 HP-UX PHI Overview.......................................................................................................................5 1.2 HP-UX PHI Features.........................................................................................................................5 1.3 HP-UX PHI Documentation..............................................................................................................5 1.4 HP-UX PHI Manpages......................................................................................................................5 1.5 HP-UX PHI Compatibility Information and Installation Requirements..........................................7

2 Acquiring and Installing HP-UX PHI..............................................................................9 2.1 Acquiring HP-UX PHI......................................................................................................................9 2.2 Installing HP-UX PHI........................................................................................................................9

3 Known Problems in HP-UX PHI B.11.23.01.................................................................11

Table of Contents

3

4

1 HP-UX Password Hashing Infrastructure B.11.23.01 The information in this document is for HP-UX Password Hashing Infrastructure (PHI) version B.11.23.01 only.

1.1 HP-UX PHI Overview HP-UX PHI enhances the security of HP-UX 11i version 2. HP-UX PHI provides a new SHA512-based algorithm for user password hashes as an alternative to the traditional, DES-based password hash algorithm. Traditionally, authentication of users in HP-UX was done using the crypt function. For decades, the crypt function has implemented a DES-based one-way function. Today, the output produced by the crypt function is no longer considered non-reversible. Therefore a new one-way function is needed to maintain the security of user’s passwords. HP-UX PHI provides a set of new functions which are referred to as the crypt2 family of functions. The crypt2 functions are a backward-compatible alternative to the legacy crypt function. The crypt function itself is not modified. HP-UX PHI is only available on systems with shadowed passwords.

1.2 HP-UX PHI Features HP-UX PHI offers the following features: •

Strong hashing for user passwords stored in /etc/shadow HP-UX PHI provides system administrators with the option of using a new SHA512-based password hash algorithm in place of the older, DES-based password algorithm.

•

Co-existence between DES-based and SHA512-based passwords HP-UX PHI allows successful authentication with and management of passwords which are hashed using different algorithms. In the /etc/shadow file, some users' passwords can be hashed with the DES-based algorithm, while other users' passwords may be hashed with the new SHA512-based algorithm.

•

Migration from one password hash algorithm to another HP-UX PHI allows a convenient method of gradual and seamless migration of password hashes from one algorithm to another.

•

Cross-vendor compatibility Hashes from the new algorithm are prefixed with $6$. This allows password hashes to be used across different vendor systems, provided that the other vendors have also implemented the same algorithm.

1.3 HP-UX PHI Documentation Use the following documents in conjunction with each other when using HP-UX PHI B.11.23.01: • HP-UX PHI B.11.23.01 Release Notes • security(4) These documents are located at: http://docs.hp.com

1.4 HP-UX PHI Manpages HP-UX PHI includes a new manpage crypt2(3C) that describes four new crypt functions. The four crypt functions are enhancements to the legacy crypt function (see crypt(3C)). They are 1.1 HP-UX PHI Overview

5

backward compatible with crypt and provide the option to use an alternative password hash algorithm, as configured by the attributes CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE described in security(4). Table 1-1 lists and briefly describes the HP-UX PHI crypt functions: Table 1-1 HP-UX PHI Functions Function

Description

crypt2_passwd_match(key, oldhash, username)

Derives both the password hash algorithm and salt from oldhash. It then applies the algorithm to the salt and to the string key. If the resulting hash string matches oldhash, then the function returns 1, otherwise it returns 0.

crypt2_passwd_hash(key, oldhash, username)

Computes a random salt suitable for username and compatible with the hash algorithm encoded in oldhash. The function then applies the algorithm to the newly constructed salt and to the string key. Upon success, the resulting hash string is returned. Upon failure, a pointer to * is returned.

crypt2_passwd_salt(oldhash, Computes a random salt suitable for username and compatible with the hash username) algorithm encoded in oldhash. If oldhash corresponds to a hash algorithm that is compliant with the current password hash policies, the function returns a new salt suitable for that algorithm. Otherwise, if the original algorithm is not acceptable, the function returns a salt that corresponds to the default hash algorithm. Setting oldhash to aa requests a DES-compatible salt. Setting oldhash to $6$ requests a SHA-512-compatible salt. If the name of the user is not available when an application calls crypt2_passwd_salt, the username should be set to "". This prompts the function to bypass any checks for per-user policies and to apply only the system-wide security policies. crypt2(key, saltstring)

Derives both the password algorithm and salt from saltstring. It then applies the algorithm to the salt and to the string key, and returns the resulting hash string. Unlike crypt2_passwd_hash, the crypt2 function makes no checks to the appropriateness of the hash algorithm or salt. It is recommended that saltstring be the result of a prior call to crypt2_passwd_salt.

NOTE: The crypt2, crypt2_passwd_salt, and crypt2_passwd_hash functions return a pointer allocated by the functions themselves. The caller is responsible for calling free to deallocate this memory space. Even though the username argument is ignored, it still must be provided in calls to crypt2_passwd_match, crypt2_passwd_hash, and crypt2_passwd_salt. The PHI functionality (for example, the password hash policies) is only enforced at the system-wide level using CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE in the /etc/default/security file. NOTE:

Enforcement of user-specific policies is not implemented yet.

Table 1-2 lists and briefly describes the HP-UX PHI attributes: Table 1-2 HP-UX PHI Attributes

6

Attribute

Description

CRYPT_DEFAULT

Specifies the default password hash algorithm. It is used when a new user password is created, and either the user did not have a password before or the old password was hashed with a deprecated algorithm (listed in CRYPT_ALGORITHMS_DEPRECATE). The value of CRYPT_DEFAULT should not be present in CRYPT_ALGORITHMS_DEPRECATE. This attribute is only valid when the PHI product is installed.

CRYPT_ALGORITHMS_DEPRECATE

Lists the password hash algorithms that must be deprecated when a user's password is changed. This attribute is only valid when the PHI product is installed.

HP-UX Password Hashing Infrastructure B.11.23.01

The default hash algorithm is method 6, a newer hash algorithm based on SHA-512. If the attribute CRYPT_DEFAULT is not defined in /etc/default/security, the default value is __unix__. The CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE attributes can be used as follows: • CRYPT_DEFAULT=__unix__ The default hash algorithm is the traditional DES-based algorithm. •

CRYPT_DEFAULT=6 Sets the default password hash algorithm to an SHA512-based algorithm. For each new user, the password hash will be SHA512-based.

•

CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_DEPRECATE=__unix__ Migrates the DES-based password hashes to SHA512-based hashes. For each user, the DES-based password (denoted by __unix__) will be replaced with a SHA512-based one (denoted by 6) during the next password change.

NOTE: The value of CRYPT_DEFAULT should not be present in CRYPT_ALGORITHMS_DEPRECATE.

1.5 HP-UX PHI Compatibility Information and Installation Requirements The minimum requirements to install and run HP-UX PHI B.11.23.01 are as follows: •

Hardware Requirements: — HP 9000 Computers — HP Integrity Servers

•

Operating System Requirements: — HP-UX 11i v2, September 2004 or later

•

Patch Requirements: — All required patches are included with the HP-UX PHI bundle

•

Security Settings: — The system should have shadowed passwords (stored in /etc/shadow)

•

Supported with files, but is not supported with other nameserver switch backends, such as NIS or NIS+. To configure your system to use only files, ensure that the passwd: line in /etc/nsswitch.conf contains only files. To use HP-UX PHI with SSH, you must install HP-UX Secure Shell A.04.70.004 or later from Software Depot:

•

http://www.software.hp.com •

Some third party applications may assume that password hashes are DES-based only. These applications would not function correctly with HP-UX PHI.

1.5 HP-UX PHI Compatibility Information and Installation Requirements

7

8

2 Acquiring and Installing HP-UX PHI HP-UX PHI is available free of charge from Software Depot: http://www.software.hp.com

2.1 Acquiring HP-UX PHI To acquire HP-UX PHI, you must complete the following steps: 1. Go to Software Depot: http://www.software.hp.com. 2. Select Security and manageability. Scroll down and select HP-UX Password Hash Infrastructure. Read the information on the HP-UX PHI release page. 3. Select Receive for Free >> at the bottom of the page. 4. Enter your registration information. 5. Review and accept the “Warranty” and “Terms and Conditions” statements. 6. Select Download at the bottom of the page and save the HP-UX PHI depot as a local file on your system, for example, in /tmp/PHI_depotname.depot. 7. Use the following command to verify that the depot file is on your system: # swlist -s /tmp/PHI_depotname.depot

If the HP-UX PHI depot is on your system, you will see the following message after running the command: SHA

B.11.23.01

HP-UX Password Hashing Infrastructure

NOTE: • The depot filename in the previous steps is for example only. The exact HP-UX PHI depot filename and location may vary. • Within the HP-UX PHI bundle, the product name will show SHA.

2.2 Installing HP-UX PHI To install HP-UX PHI on your HP-UX 11i v2 systems, you must complete the following steps. You do not need to reboot the system to install HP-UX PHI. 1. 2. 3. 4.

Review Section 1.5. Download HP-UX PHI as described in Section 2.1. Logon to your system as the root user. Install HP-UX PHI using the following command: # swinstall -s /tmp/PHI_depotname.depot

5. 6.

The name and location of the HP-UX PHI depot above is for example only—the actual name and location may vary. [Optional] Reboot your system after installation. If you did not specify the autoreboot flag at installation, you can reboot manually. Verify the installation using the following command: #swlist -a state SHA

If the HP-UX PHI bundle is installed on the system, the swlist command will report all the filesets as configured.

2.1 Acquiring HP-UX PHI

9

IMPORTANT: The HP-UX PHI functionality is not activated by default after installation. To activate it, you need to edit certain attributes in the /etc/default/security file. For more information, see the description of the CRYPT_DEFAULT and CRYPT_ALGORITHMS_DEPRECATE attributes in the security(4) manpage. To remove (un-install) HP-UX PHI B.11.23.01 from your HP-UX 11i v2 systems, you must complete the following steps: 1. 2.

Logon to your system as the root user. Use the following command to remove HP-UX PHI: # swremove PHI

NOTE: 3.

10

HP does not recommend that you remove the corequisite patches from your system.

Use the swlist command to verify that HP-UX PHI and all associated components were removed from the system. The swlist command will not report the components of HP-UX PHI if they were successfully removed from the system.

Acquiring and Installing HP-UX PHI

3 Known Problems in HP-UX PHI B.11.23.01 HP-UX PHI B.11.23.01 contains no known problems.

11