Crypt Password Storage Scheme

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Crypt Password Storage Scheme provides a mechanism for encoding user passwords using the UNIX crypt algorithm, including the MD5 variant described at http://www.vidarholen.net/contents/blog/?p=32, and the 256-bit and 512-bit SHA-2 variants described at http://people.redhat.com/drepper/SHA-crypt.txt. This storage scheme supports authenticating users with passwords encoded in either standard CRYPT, the MD5 variant, or either of the SHA-2 variants, and it is possible to configure which mechanism should be used when encoding new passwords.

Use of the standard crypt format is strongly discouraged because it uses very weak DES encryption with only a 12-bit salt, so it is susceptible to dictionary, rainbow table, and brute force attacks. The 128-bit MD5 variant, and the 256-bit and 512-bit SHA-2 variants use much stronger cryptographic digests, and much stronger salts to make them more resistant to attacks. They also use multiple digest rounds, which makes the encoding process much more expensive and can significantly interfere with the ability to conduct brute force attacks.

Parent Component Properties dsconfig Usage

Parent Component

The Crypt Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  num-digest-rounds
 enabled  max-password-length
 password-encoding-mechanism

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

password-encoding-mechanism

Description
Specifies the mechanism that should be used to encode clear-text passwords for use with this scheme.
Default Value
sha-2-256
Allowed Values
crypt - Use the standard DES-based UNIX crypt algorithm. This is a weak algorithm and is provided only for the purpose of compatibility with applications that require this format.

md5 - Encode passwords with an algorithm using multiple rounds of the 128-bit MD5 digest.

sha-2-256 - Encode passwords with an algorithm using multiple rounds of the 256-bit SHA-2 digest.

sha-2-512 - Encode passwords with an algorithm using multiple rounds of the 512-bit SHA-2 digest.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

num-digest-rounds (Advanced Property)

Description
Specifies the number of digest rounds to use for the SHA-2 encodings. This will not be used for the legacy or MD5-based encodings. The higher the number of rounds, the more resistant passwords will be to attacks, but the more expensive that legitimate authentication processing will be as well.
Default Value
5000
Allowed Values
An integer value. Lower limit is 1000. Upper limit is 999999999 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

max-password-length (Advanced Property)

Description
Specifies the maximum allowed length, in bytes, for passwords encoded with this scheme, which can help mitigate denial of service attacks from clients that attempt to bind with very long passwords. This password storage scheme performs expensive cryptographic computation as a way to thwart brute force password-cracking attacks. However, this processing consumes server resources, at the possible expense of the server's ability to process other operations. The longer a provided password is, the more expensive it is to encode, or to verify whether a provided password matches a user's encoded password. Malicious clients may attempt to exploit that by providing very long passwords during authentication attempts. However, if the provided password is longer than the configured max-password-length value, then this password storage scheme will immediately reject it rather than perform that expensive computation.
Default Value
200
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Crypt Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type crypt
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}