Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Crypt Password Storage Scheme provides a mechanism for encoding user passwords using the UNIX crypt algorithm, including the MD5 variant described at http://www.vidarholen.net/contents/blog/?p=32, and the 256-bit and 512-bit SHA-2 variants described at http://people.redhat.com/drepper/SHA-crypt.txt. This storage scheme supports authenticating users with passwords encoded in either standard CRYPT, the MD5 variant, or either of the SHA-2 variants, and it is possible to configure which mechanism should be used when encoding new passwords.
Use of the standard crypt format is strongly discouraged because it uses very weak DES encryption with only a 12-bit salt, so it is susceptible to dictionary, rainbow table, and brute force attacks. The 128-bit MD5 variant, and the 256-bit and 512-bit SHA-2 variants use much stronger cryptographic digests, and much stronger salts to make them more resistant to attacks. They also use multiple digest rounds, which makes the encoding process much more expensive and can significantly interfere with the ability to conduct brute force attacks.
The Crypt Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | num-digest-rounds |
| enabled | max-password-length |
| password-encoding-mechanism |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the mechanism that should be used to encode clear-text passwords for use with this scheme. |
| Default Value | sha-2-256 |
| Allowed Values | crypt - Use the standard DES-based UNIX crypt algorithm. This is a weak algorithm and is provided only for the purpose of compatibility with applications that require this format. md5 - Encode passwords with an algorithm using multiple rounds of the 128-bit MD5 digest. sha-2-256 - Encode passwords with an algorithm using multiple rounds of the 256-bit SHA-2 digest. sha-2-512 - Encode passwords with an algorithm using multiple rounds of the 512-bit SHA-2 digest. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
num-digest-rounds (Advanced Property)
| Description | Specifies the number of digest rounds to use for the SHA-2 encodings. This will not be used for the legacy or MD5-based encodings. The higher the number of rounds, the more resistant passwords will be to attacks, but the more expensive that legitimate authentication processing will be as well. |
| Default Value | 5000 |
| Allowed Values | An integer value. Lower limit is 1000. Upper limit is 999999999 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-password-length (Advanced Property)
| Description | Specifies the maximum allowed length, in bytes, for passwords encoded with this scheme, which can help mitigate denial of service attacks from clients that attempt to bind with very long passwords. This password storage scheme performs expensive cryptographic computation as a way to thwart brute force password-cracking attacks. However, this processing consumes server resources, at the possible expense of the server's ability to process other operations. The longer a provided password is, the more expensive it is to encode, or to verify whether a provided password matches a user's encoded password. Malicious clients may attempt to exploit that by providing very long passwords during authentication attempts. However, if the provided password is longer than the configured max-password-length value, then this password storage scheme will immediately reject it rather than perform that expensive computation. |
| Default Value | 200 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Crypt Password Storage Scheme:
dsconfig create-password-storage-scheme
--scheme-name {name}
--type crypt
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme
--scheme-name {name}