docs/67624: Handbook incorrect about details of Blowfish encryption

Brett Schroeder brett at brettschroeder.name
Sun Jun 6 10:00:39 UTC 2004 

>Number:         67624
>Category:       docs
>Synopsis:       Handbook incorrect about details of Blowfish encryption
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 06 03:00:39 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Brett Schroeder
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD Anapurna.brettschroeder.name 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu May 27 20:57:11 PDT 2004 brett at Anapurna.brettschroeder.name:/usr/obj/usr/src/sys/ANAPURNA i386

>Description:
Section 10.4.1 of the Handbook (Recognizing your crypt mechanism) 
states that Blowfish encrypted passwords begin with $2$. This is incorrect, 
they begin with $2a$.

Here's an example from my /etc/master.passwd (most of the encrypted password has been X'd
out ;-)

brett:$2a$04$8K21POXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:1001:0::0:0:Brett Schroeder:/home/brett:/bin/csh
vicki:$2a$04$hoMVJMXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:1000:1000::0:0:Vicki Schroeder:/home/vicki:/bin/csh

>How-To-Repeat:
1) Edit /etc/auth.conf to have
	crypt_default   =       blf	# default = md5 des
(not sure if this step is really necessary)

2) Edit /etc/login.conf to have
	:passwd_format=blf:\		# default = md5

3) Run cap_mkdb /etc/login.conf

4) Add a dummy user, take a look at /etc/master.passwd

>Fix:

--- chapter_original.sgml	Sun Jun  6 02:13:05 2004
+++ chapter.sgml	Sun Jun  6 02:13:29 2004
@@ -1031,7 +1031,7 @@
 	Passwords encrypted with the MD5 hash are longer than those
 	encrypted with the DES hash and also begin with the characters
 	<literal>$1$</literal>.  Passwords starting with
-	<literal>$2$</literal> are encrypted with the
+	<literal>$2a$</literal> are encrypted with the
 	Blowfish hash function.  DES password strings do not
 	have any particular identifying characteristics, but they are
 	shorter than MD5 passwords, and are coded in a 64-character


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list