Red Hat Bugzilla – Bug 428280
No info on crypt(3) SHA-256/512 features
Last modified: 2008-07-28 03:40:11 EDT
Description of problem:
The glibc package in Fedora 8 now has support for passwords using SHA256 and
SHA512 hashing. Before only DES and MD5 were available. The tools to create
passwords have not been extended yet, but if such passwords are created in
others ways, glibc will recognize and honor them.
In man crypt, NOTES, Glibc Notes it's documented how to use the MD5 and DES
implementations and how to distinguish between the two when reading encoded
passwords. No such info exists for the SHA-256/512 implementation.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. man crypt
No info on SHA-256/512 capabilities.
SHA capabilities should be described in the same way MD5 ones are described.
The integration into existing systems is easy if those systems already
support the MD5-based solution. Ever since the introduction of the
MD5-based method an extended password format is in used:
If the password is not of this form it is an old-style DES-encrypted
password. If the password has this form the ID identifies the method
used and this then determines how the rest of the password string is
interpreted. So far the following ID values are in use:
ID | Method
1 | MD5 (Linux, BSD)
2a | Blowfish (OpenBSD)
md5 | Sun MD5
For the new SHA-256 and SHA-512 methods the following values are
ID | Method
5 | SHA-256
6 | SHA-512
So $5$<SALT>$<PWD> is a SHA-256 encoded password and $6$<SALT>$<PWD> is a
SHA-512 encoded one. Please add this info in the manual page.
Thanks, fixed in man-pages-2.75-2.fc9.
The fix that appears to have been made was to copy the above text, from a
standards proposal, into the man page. However, it is not clear if Linux
systems even support all of these options -- did you check this?
As far as I can see:
2a Blowfish -- is not natively supported by glibc, but some distros patch in
support (e.g. openSUSE; but does Fedora?)
md5 Sun MD5 -- is not natively supported by glibc.
5 - SHA-256
6 - SHA-512
Are supported by since glibc 2.7.
Can you confirm?
Ulrich Drepper's comment is:
"None of the other encryption (2a, md5) is supported. It makes no sense
to support them. I only added 5 and 6. If you mention any other you
should say that the others are not generally available and should be
avoided. Only SHA is based on technology sanctioned by NIST." so you are right
the man-page should be fixed.