# Cant switch from MD5 to Blowfish for password hashes



## CoTones (Aug 9, 2011)

Hello,

Im trying to change encryption for password hashes from MD5 to blf on FreeBSD 8.2.

What I did:
  changed in /etc/login.conf from 
	
	



```
:passwd_format=md5:\
```
 to 
	
	



```
:passwd_format=blf:\
```

  rebuild the login database with *cap_mkdb /etc/login.conf*;

  changed root password with *passwd*;

Still, in /etc/master.passwd I see 
	
	



```
root:$1$s0...
```
 not 
	
	



```
root:$2a$...
```

What am I doing wrong?
Sorry for my english,

CoTones


----------



## Mormegil (Aug 9, 2011)

Add the line


```
crypt_default= blf
```

to /etc/auth.conf


----------



## CoTones (Aug 9, 2011)

Mormegil said:
			
		

> Add the line
> 
> 
> ```
> ...



Already did - no positive results.


----------



## Nightweaver (Aug 10, 2011)

Try: 
	
	



```
crypt_default =  blowfish
```
 not blf. Then do the [cmd=]cap_mkdb /etc/login.conf[/cmd] thing and then change your passwords.


----------



## CoTones (Aug 10, 2011)

Nightweaver said:
			
		

> Try: crypt_default =  blowfish, not blf. Then do the "cap_mkdb /etc/login.conf" thing and then change your passwords.



Thanks for helping, still no luck.

Dmesg attached.

CoTones


```
Copyright (c) 1992-2011 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011
    root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Genuine Intel(R) CPU           T2300  @ 1.66GHz (1664.45-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x6e8  Family = 6  Model = e  Stepping = 8
  Features=0xbfe9fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,
  SS,HTT,TM,PBE>
  Features2=0xc1a9<SSE3,MON,VMX,EST,TM2,xTPR,PDCM>
  AMD Features=0x100000<NX>
  TSC: P-state invariant
real memory  = 1342177280 (1280 MB)
avail memory = 1286008832 (1226 MB)
ACPI APIC Table: <DELL   M07    >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 2
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
acpi0: <DELL M07    > on motherboard
acpi0: [ITHREAD]
Timecounter "HPET" frequency 14318180 Hz quality 900
acpi0: reservation of 0, 9fc00 (3) failed
acpi0: reservation of 100000, 4f581400 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
acpi_acad0: <AC Adapter> on acpi0
battery0: <ACPI Control Method Battery> on acpi0
battery1: <ACPI Control Method Battery> on acpi0
acpi_lid0: <Control Method Lid Switch> on acpi0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0xeff8-0xefff mem 0xeff00000-0xeff7ffff,0xd0000000-0xdfffffff,0xefec0000-0xefefffff
 irq 16 at device 2.0 on pci0
agp0: <Intel 82945GM (945GM GMCH) SVGA controller> on vgapci0
agp0: detected 7932k stolen memory
agp0: aperture size is 256M
vgapci1: <VGA-compatible display> mem 0xeff80000-0xefffffff at device 2.1 on pci0
hdac0: <Intel 82801G High Definition Audio Controller> mem 0xefebc000-0xefebffff irq 21 at device 27.0 on pci0
hdac0: HDA Driver Revision: 20100226_0142
hdac0: [ITHREAD]
pcib1: <ACPI PCI-PCI bridge> at device 28.0 on pci0
pci11: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 28.1 on pci0
pci12: <ACPI PCI bus> on pcib2
siba_bwn0: <Broadcom BCM4311 802.11b/g Wireless> mem 0xefdfc000-0xefdfffff irq 17 at device 0.0 on pci12
siba_bwn0: unsupported coreid (USB 1.1 Host)
bwn0 on siba_bwn0
bwn0: WLAN (chipid 0x4311 rev 10) PHY (analog 4 type 2 rev 8) RADIO (manuf 0x17f ver 0x2050 rev 2)
bwn0: DMA (32 bits)
bwn0: Using 1 MSI messages
bwn0: [FILTER]
pcib3: <ACPI PCI-PCI bridge> at device 28.2 on pci0
pci9: <ACPI PCI bus> on pcib3
bge0: <Broadcom NetXtreme Gigabit Ethernet Controller, ASIC rev. 0x006002> mem 0xefcf0000-0xefcfffff irq 18 at device 0.0
 on pci9
bge0: CHIP ID 0x00006002; ASIC REV 0x06; CHIP REV 0x60; PCI-E
miibus0: <MII bus> on bge0
brgphy0: <BCM5752 10/100/1000baseTX PHY> PHY 1 on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master,
 auto, auto-flow
bge0: Ethernet address: 00:14:22:f7:b8:be
bge0: [ITHREAD]
uhci0: <Intel 82801G (ICH7) USB controller USB-A> port 0xbf80-0xbf9f irq 20 at device 29.0 on pci0
uhci0: [ITHREAD]
usbus0: <Intel 82801G (ICH7) USB controller USB-A> on uhci0
uhci1: <Intel 82801G (ICH7) USB controller USB-B> port 0xbf60-0xbf7f irq 21 at device 29.1 on pci0
uhci1: [ITHREAD]
usbus1: <Intel 82801G (ICH7) USB controller USB-B> on uhci1
uhci2: <Intel 82801G (ICH7) USB controller USB-C> port 0xbf40-0xbf5f irq 22 at device 29.2 on pci0
uhci2: [ITHREAD]
usbus2: <Intel 82801G (ICH7) USB controller USB-C> on uhci2
uhci3: <Intel 82801G (ICH7) USB controller USB-D> port 0xbf20-0xbf3f irq 23 at device 29.3 on pci0
uhci3: [ITHREAD]
usbus3: <Intel 82801G (ICH7) USB controller USB-D> on uhci3
ehci0: <Intel 82801GB/R (ICH7) USB 2.0 controller> mem 0xffa80000-0xffa803ff irq 20 at device 29.7 on pci0
ehci0: [ITHREAD]
usbus4: EHCI version 1.0
usbus4: <Intel 82801GB/R (ICH7) USB 2.0 controller> on ehci0
pcib4: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci3: <ACPI PCI bus> on pcib4
cbb0: <O2Micro OZ6912/6972 PCI-CardBus Bridge> at device 1.0 on pci3
cardbus0: <CardBus bus> on cbb0
pccard0: <16-bit PCCard bus> on cbb0
cbb0: [FILTER]
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH7M SATA150 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xbfa0-0xbfaf irq 17 at device 31.2 on
 pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
ata1: <ATA channel 1> on atapci0
ata1: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64,0x62,0x66 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: [ITHREAD]
psm0: model GlidePoint, device ID 0
atrtc0: <AT realtime clock> port 0x70-0x71,0x72-0x77 irq 8 on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: [FILTER]
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcefff,0xcf000-0xcffff pnpid ORM0000 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ppc0: parallel port not found.
est0: <Enhanced SpeedStep Frequency Control> on cpu0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
est1: <Enhanced SpeedStep Frequency Control> on cpu1
p4tcc1: <CPU Frequency Thermal Control> on cpu1
Timecounters tick every 1.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 12Mbps Full Speed USB v1.0
usbus4: 480Mbps High Speed USB v2.0
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ugen2.1: <Intel> at usbus2
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen3.1: <Intel> at usbus3
uhub3: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus3
ugen4.1: <Intel> at usbus4
uhub4: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus4
ad0: 238475MB <Seagate ST9250421AS SD13> at ata0-master UDMA100 SATA
GEOM: ad0: partition 4 does not start on a track boundary.
GEOM: ad0: partition 4 does not end on a track boundary.
GEOM: ad0: partition 3 does not start on a track boundary.
GEOM: ad0: partition 3 does not end on a track boundary.
GEOM: ad0: partition 2 does not start on a track boundary.
GEOM: ad0: partition 2 does not end on a track boundary.
GEOM: ad0: partition 1 does not start on a track boundary.
GEOM: ad0: partition 1 does not end on a track boundary.
acd0: CDRW <TSSTcorpCD-RW/DVD-ROM TSL462C/DE01> at ata1-master UDMA33 
hdac0: HDA Codec #0: Sigmatel STAC9220
pcm0: <HDA Sigmatel STAC9220 PCM #0 Analog> at cad 0 nid 1 on hdac0
SMP: AP CPU #1 Launched!
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 2 ports with 2 removable, self powered
GEOM: ad0s2: geometry does not match label (255h,63s != 16h,63s).
Root mount waiting for: usbus4
Root mount waiting for: usbus4
Root mount waiting for: usbus4
uhub4: 8 ports with 8 removable, self powered
Root mount waiting for: usbus4
Trying to mount root from ufs:/dev/ad0s3a
ugen0.2: <vendor 0x413c> at usbus0
uhub5: <vendor 0x413c product 0xa005, class 9/0, rev 2.00/50.18, addr 2> on usbus0
ugen2.2: <vendor 0x04b4> at usbus2
ums0: <vendor 0x04b4 product 0x0033, class 0/0, rev 1.10/1.00, addr 2> on usbus2
ums0: 5 buttons and [XYZT] coordinates ID=0
uhub5: 4 ports with 0 removable, self powered
ugen0.3: <vendor 0x0b97> at usbus0
uhub6: <vendor 0x0b97 product 0x7761, class 9/0, rev 1.10/1.10, addr 3> on usbus0
uhub6: 3 ports with 2 removable, bus powered
bwn0: firmware version (rev 410 patch 2160 date 0x751a time 0x7c0a)
wlan0: Ethernet address: 00:14:22:f7:b8:be
ugen0.4: <O2> at usbus0
bwn0: firmware version (rev 410 patch 2160 date 0x751a time 0x7c0a)
bwn0: status of RF switch is changed to OFF
bwn0: please turns on the RF switch
wlan0: link state changed to UP
lagg0: link state changed to UP
bwn0: need multicast update callback
bwn0: RX decryption attempted (old 0 keyidx 0x1)
bwn0: need multicast update callback
bwn0: need multicast update callback
bwn0: RX decryption attempted (old 0 keyidx 0x1)
bwn0: RX decryption attempted (old 0 keyidx 0x1)
```


----------



## anomie (Aug 10, 2011)

CoTones said:
			
		

> What am I doing wrong?



Which login class is root in? You can check using chpass(1), or you can use: 

```
# awk -F':' '/^root/{ print $5 }' /etc/master.passwd
```

If the output of that is blank, then root is in the default class. 

---

And which section of /etc/login.conf did you change, exactly? There are potentially multiple places where passwd_format can be changed, depending on your configuration. 

Assuming root is in the default class, and you changed the default section, you will need to log out and log back in before changing root's password. (Otherwise the new crypto hash will not be used.)


----------



## poh-poh (Aug 10, 2011)

Try redefining default PASSWORD_HASH in pam_unix(8) source.

It does work here with passwd_format=blf, though. Can you check that setting blf with crypt_set_format(3) actually works?


----------



## CoTones (Aug 10, 2011)

Hello anomie,


```
# awk -F':' '/^root/{ print $5 }' /etc/master.passwd
```
outputs nothing.

/etc/auth.conf:

```
#
# $FreeBSD: src/etc/auth.conf,v 1.6.32.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
# Configure some authentication-related defaults.  This file is being
# gradually subsumed by user class and PAM configuration.
#

# crypt_default	=	md5 des
crypt_default=blf
```

/etc/login.conf:

```
# login.conf - login class capabilities database.
#
# Remember to rebuild the database after each change to this file:
#
#	cap_mkdb /etc/login.conf
#
# This file controls resource limits, accounting limits and
# default user environment settings.
#
# $FreeBSD: src/etc/login.conf,v 1.53.2.2.2.1 2010/12/21 17:09:25 kensmith Exp $
#
-----------snip------------------------

default:\
#	:passwd_format=md5:\
	:passwd_format=blf:\
	:copyright=/etc/COPYRIGHT:\
	:welcome=/etc/motd:\
	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
```


`# chpass root`


```
#Changing user information for root.
Login: root
Password: $1$ndJAxmKq$lOEEM3oditpKzE3phWZpX/
Uid [#]: 0
Gid [# or name]: 0
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /root
Shell: /bin/csh
Full Name: Charlie &
Office Location:
Office Phone:
Home Phone:
Other information:
```

After manipulations PC was rebooted. I am confused...

CoTones


----------



## poh-poh (Aug 10, 2011)

You have a syntax error in login.conf. Hint: look at line continuations, the line with commented out md5 breaks it.


----------



## CoTones (Aug 10, 2011)

poh-poh said:
			
		

> Try redefining default PASSWORD_HASH in pam_unix(8) source.
> 
> It does work here with passwd_format=blf, though. Can you check that setting blf with crypt_set_format(3) actually works?



Well, it looks interesting, but somewhat it should work the same for me as for you, isn't? I'm just trying find out what's wrong with my FreeBSD installation. And I'm out of ideas.

Thank you,
CoTones


----------



## CoTones (Aug 10, 2011)

poh-poh said:
			
		

> You have a syntax error in login.conf. Hint: look at line continuations, the line with commented out md5 breaks it.



Bingo! It works now.

Thank you all,
CoTones


----------

