UnboundID Metrics Engine - Crypt Password Storage Scheme

Metrics Engine Documentation Index
Configuration Reference Home

Crypt Password Storage Scheme

Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact UnboundID support for assistance if you believe that you have a need to create or modify this type of object.

The Crypt Password Storage Scheme provides a mechanism for encoding user passwords using the UNIX crypt algorithm, including the MD5 variant described at http://www.vidarholen.net/contents/blog/?p=32, and the 256-bit and 512-bit SHA-2 variants described at http://people.redhat.com/drepper/SHA-crypt.txt. This storage scheme supports authenticating users with passwords encoded in either standard CRYPT, the MD5 variant, or either of the SHA-2 variants, and it is possible to configure which mechanism should be used when encoding new passwords.

Use of the standard crypt format is strongly discouraged because it uses very weak DES encryption with only a 12-bit salt, so it is susceptible to dictionary, rainbow table, and brute force attacks. The 128-bit MD5 variant, and the 256-bit and 512-bit SHA-2 variants use much stronger cryptographic digests, and much stronger salts to make them more resistant to attacks. They also use multiple digest rounds, which makes the encoding process much more expensive and can significantly interfere with the ability to conduct brute force attacks.

↓Parent Component
↓Properties
↓dsconfig Usage

Parent Component

The Crypt Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ num-digest-rounds
↓ enabled
↓ password-encoding-mechanism

Basic Properties

description

Description	A description for this Password Storage Scheme
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether the Password Storage Scheme is enabled for use.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

password-encoding-mechanism

Description	Specifies the mechanism that should be used to encode clear-text passwords for use with this scheme.
Default Value	sha-2-256
Allowed Values	crypt - Use the standard DES-based UNIX crypt algorithm. This is a weak algorithm and is provided only for the purpose of compatibility with applications that require this format. md5 - Encode passwords with an algorithm using multiple rounds of the 128-bit MD5 digest. sha-2-256 - Encode passwords with an algorithm using multiple rounds of the 256-bit SHA-2 digest. sha-2-512 - Encode passwords with an algorithm using multiple rounds of the 512-bit SHA-2 digest.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

Advanced Properties

num-digest-rounds (Advanced Property)

Description	Specifies the number of digest rounds to use for the SHA-2 encodings. This will not be used for the legacy or MD5-based encodings. The higher the number of rounds, the more resistant passwords will be to attacks, but the more expensive that legitimate authentication processing will be as well.
Default Value	5000
Allowed Values	An integer value. Lower limit is 1000. Upper limit is 999999999 .
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Crypt Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type crypt
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}