Enable blowfish-based hash support for crypt
The package you need to install in debian is libpam-unix2
.
Then you will have to edit the following files under /etc/pam.d/
, and change all pam_unix.so
usage to pam_unix2.so
:
- common-account
- common-auth
- common-password
- common-session
Finally, edit common-password
file and replace "md5" parameter with "blowfish".
Passwords that are updated after these modifications are made will be hashed using blowfish. Existing shadow passwords are not modified. Source
To use blowfish in PHP, you provide a blowfish salt to crypt()
. Like this:
crypt('sting', '$2a$07$' . substr('saltsaltsalt', 0, CRYPT_SALT_LENGTH) )
You should first check if CRYPT_BLOWFISH==1. And you'll need to use a long enough salt, which is equal to (or greater than) 22 characters. Source
Related videos on Youtube
![Jacco](https://i.stack.imgur.com/z3579.png?s=256&g=1)
Jacco
Updated on September 17, 2022Comments
-
Jacco almost 2 years
How do I enable crypt_blowfish support for shadowed passwords and PHP on a Linux (Debian) server?
I'm referring to the OpenBSD-style Blowfish-based bcrypt, known in PHP as CRYPT_BLOWFISH.
As far as I know there is no Debian package for it, what other options do I have to enable this hashing algorithm for PHP?
Note:
PHP's crypt() fuction interfaces relatively directly with the C-library crypt(3) function provided by the underlying operating system.Update
Package-naming is not as clear as it could (should) be.
The PEAR Crypt_Blowfish package is a drop-in replacement for PHP's MCrypt extension, allowing for quick two-way blowfish encryption.Also the Debian BCrypt package is also an implementation of the 'normal' two-way blowfish algorithm.
What I'm looking for is the Bcrypt-hash implementation for hashing passwords.
-
Admin about 15 yearsdoesn't "pear install Crypt_blowfish" work?
-
Admin about 15 yearsThe pear crypt_blowfish package is the 'normal' two-way blowfish encryption algorithm. I'm looking for the blowfish-based hashing algorithm.
-
Admin about 15 yearsah, now I see the problem.
-
Admin about 15 yearsDidn't know you could have a higher bounty on a question then your current rep. Interesting.
-
Admin about 15 yearsRep is deducted immediately, so he had ~200 rep and now has ~50.
-
Admin over 13 yearsLooks like there's a native implementation of blowfish in crypt() in php 5.3 and up, which is convenient.
-
-
Kzqai almost 13 yearsHmmm, after making those changes, CRYPT_BLOWFISH still doesn't equal 1, for some reason.
-
Tom Zych over 8 yearsA caveat: if your version of pam_unix2 doesn't support the hashing algorithm currently used for a user's password, that user may not be able to log in. I think that's what I ran into on my Debian box; some accounts were using SHA512 and could not log in, but an account that used MD5 could. You can set those passwords from root, because
passwd
doesn't ask for the old password when run from root. Important: keep your root session open until you're sure you can log in again!