Changing Password Encryption Libraries

Applicable to: FreeBSD 4.x
Updated: August 15, 2000

This cheat sheet describes how to change your password encryption system from DES (Digital Encryption Standard) to MD5 (Message Digest 5), and vice versa.

The standard password encryption mechanism for FreeBSD is MD5, but upgrading FreeBSD 3.x to 4.x seems to change this to DES (at least for U.S. residents). I chose to revert to the original MD5 system because MD5 is believed to be more secure than DES, allows passwords longer than eight characters, and because I was not concerned with compatibility with other systems using DES.

To change from DES to MD5:

1. Using vipw, make note of any DES user passwords that exist on your system. MD5 cannot read DES passwords, so any DES passwords you have will have to be changed.

   # vipw

   You should see something similar to:

       root:$1$93CDf$EQWY0qV7WJ1HBwx3OhOwo/:0:0::0:0:Charlie &:/root:/bin/csh
       steve:$1$hZQd5kJY$dWKdu.A8O9HOr8Qz2.ck21:1000:20::0:0:Steve Bingo:/home/dan:/usr/local/bin/bash
       bob:JhYtRbJkSwQa:1002:20::0:0:Bob Godunk:/home/bob:/usr/local/bin/bash
       pcguest:$1$o1tNgUVQ$v9mkpu3wIx6/fqrgRzaHq.:1003:31::0:0:PC Guest Account:/nonexistent:/nonexistent
   

   MD5 passwords start with '$1$', DES passwords do not; MD5 password hashes are also longer. Note that user 'bob' has a DES password; a new password will have to assigned.

   Once you make note of any users whose passwords will have to be changed, exit vipw.

2. Check that your system is indeed using DES:

   # ls -l /usr/lib/libcrypt*
   lrwxr-xr-x  1 root  wheel  11 Aug 15 16:48 /usr/lib/libcrypt.a -> libdescrypt.a
   lrwxr-xr-x  1 root  wheel  12 Aug 15 16:49 /usr/lib/libcrypt.so -> libdescrypt.so
   lrwxr-xr-x  1 root  wheel  14 Aug 15 16:49 /usr/lib/libcrypt.so.2 -> libdescrypt.so.2

   If your system is using DES, the links will point to libdescrypt.* (If not, the links will point to libscrypt.*).

3. Change the symbolic links to point to the MD5 libraries:

   # cd /usr/lib
   # ln -fs libscrypt.a libcrypt.a
   # ln -fs libscrypt.so libcrypt.so
   # ln -fs libscrypt.so.2 libcrypt.so.2

   If you have profiling libraries installed, also do:

   # ln -fs libscrypt_p.a libcrypt_p.a

4. Reboot the system:

   # shutdown -r now

5. When the system is back up, enter new passwords for the users who had DES passwords:

   # passwd bob
   Changing local password for bob.
   New password: *****
   Retype new password: *****
   passwd: updating the database...
   passwd: done

   Don't forget to tell Bob what his new password is!

To change from MD5 to DES:

1. Check that your system is indeed using MD5:

   # ls -l /usr/lib/libcrypt*
   lrwxr-xr-x  1 root  wheel  11 Aug 15 16:48 /usr/lib/libcrypt.a -> libscrypt.a
   lrwxr-xr-x  1 root  wheel  12 Aug 15 16:49 /usr/lib/libcrypt.so -> libscrypt.so
   lrwxr-xr-x  1 root  wheel  14 Aug 15 16:49 /usr/lib/libcrypt.so.2 -> libscrypt.so.2

   If your system is using MD5, the links will point to libscrypt.* (If you are already using DES, the links will point to libdescrypt.*).

2. Change the symbolic links to point to the DES libraries:

   # cd /usr/lib
   # ln -fs libdescrypt.a libcrypt.a
   # ln -fs libdescrypt.so libcrypt.so
   # ln -fs libdescrypt.so.2 libcrypt.so.2

   If you have profiling libraries installed, also do:

   # ln -fs libdescrypt_p.a libcrypt_p.a

3. Reboot the system:

   # shutdown -r now

4. Unlike the DES-to-MD5 procedure above, you don't have to change any users with MD5 passwords; FreeBSD will automatically use the correct libraries.