Enable blowfish-based hash support for crypt

security debian hash

5,940

The package you need to install in debian is libpam-unix2.

Then you will have to edit the following files under /etc/pam.d/, and change all pam_unix.so usage to pam_unix2.so:

common-account
common-auth
common-password
common-session

Finally, edit common-password file and replace "md5" parameter with "blowfish".

Passwords that are updated after these modifications are made will be hashed using blowfish. Existing shadow passwords are not modified. Source

To use blowfish in PHP, you provide a blowfish salt to crypt(). Like this:

crypt('sting', '$2a$07$' . substr('saltsaltsalt', 0, CRYPT_SALT_LENGTH) )

You should first check if CRYPT_BLOWFISH==1. And you'll need to use a long enough salt, which is equal to (or greater than) 22 characters. Source

5,940

Jacco

Updated on September 17, 2022

Comments

Jacco almost 2 years

How do I enable crypt_blowfish support for shadowed passwords and PHP on a Linux (Debian) server?

I'm referring to the OpenBSD-style Blowfish-based bcrypt, known in PHP as CRYPT_BLOWFISH.

As far as I know there is no Debian package for it, what other options do I have to enable this hashing algorithm for PHP?

Note:
PHP's crypt() fuction interfaces relatively directly with the C-library crypt(3) function provided by the underlying operating system.

Update
Package-naming is not as clear as it could (should) be.
The PEAR Crypt_Blowfish package is a drop-in replacement for PHP's MCrypt extension, allowing for quick two-way blowfish encryption.

Also the Debian BCrypt package is also an implementation of the 'normal' two-way blowfish algorithm.

What I'm looking for is the Bcrypt-hash implementation for hashing passwords.
- Admin about 15 years
  
  doesn't "pear install Crypt_blowfish" work?
- Admin about 15 years
  
  The pear crypt_blowfish package is the 'normal' two-way blowfish encryption algorithm. I'm looking for the blowfish-based hashing algorithm.
- Admin about 15 years
  
  ah, now I see the problem.
- Admin about 15 years
  
  Didn't know you could have a higher bounty on a question then your current rep. Interesting.
- Admin about 15 years
  
  Rep is deducted immediately, so he had ~200 rep and now has ~50.
- Admin over 13 years
  
  Looks like there's a native implementation of blowfish in crypt() in php 5.3 and up, which is convenient.
Kzqai almost 13 years

Hmmm, after making those changes, CRYPT_BLOWFISH still doesn't equal 1, for some reason.
Tom Zych over 8 years

A caveat: if your version of pam_unix2 doesn't support the hashing algorithm currently used for a user's password, that user may not be able to log in. I think that's what I ran into on my Debian box; some accounts were using SHA512 and could not log in, but an account that used MD5 could. You can set those passwords from root, because passwd doesn't ask for the old password when run from root. Important: keep your root session open until you're sure you can log in again!