Hashing password with bcrypt in Solaris 10

solaris_1977 · May 30, 2019, 1:19pm

Hi,

Our security audit person generated a report for Solaris-10 servers and mentioned this suggestion - "All passwords should be hashed using bcrypt. Solaris 10 supports this blowfish-based hash algorithm with the identifier 2a. To verify this, ensure the password hashes start with $2a$. Additionally, all passwords currently hashed as descrypt should be changed."
Looks like, it is a third party utility and not from Oracle. In case of any issue, they may say that it is not supported by us. For achieving similar result, does Solaris have any default tool instead of testing/implementing a third party tool ?

Please advice.

Thanks

hicksd8 · May 30, 2019, 2:36pm

I've read your post a few times but I'm not sure what your question is.

Solaris can be configured to use different algorithms for password hashing by the settings in /etc/security/policy.conf .

You are correct in that Blowfish is represented by '2a' in that file.

If you set '2a' then all passwords set after that would use Blowfish.

Start reading here.

solaris_1977 · May 30, 2019, 2:50pm

Yes, that was the answer I was looking.