LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-31-2020, 09:01 AM   #1
LinuGeek
Member
 
Registered: Jun 2008
Posts: 126

Rep: Reputation: 0
Encryption method blowfish


Hello Experts,

I am in the process of enabling stronger encryption method (Blowfish) on SLES 15 Server. I have tried to enable blowfish in /etc/login.defs under

Quote:
ENCRYPT_METHOD blowfish
ENCRYPT_METHOD_NIS blowfish

But when I try to change the password of a user, I get following error,

Quote:
Code:
2020-07-31T15:44:08.543922+02:00 ltdvnis01 passwd[28521]: pam_unix(passwd:chauthtok): Algo blowfish not supported by the crypto backend, falling back to MD5
2020-07-31T15:44:08.550694+02:00 ltdvnis01 passwd[28521]: pam_unix(passwd:chauthtok): password changed for test1
So it could not use Blowfish and falls back to MD5. Also the hash key in /etc/shadow confirms this. As it is not $2$ as expected.

The SuSE Documentation however says,

Using Yast, one can select Blowfish Encryption, using ,

Quote:
Yast-->Security Overview-->
Password Encryption Method
Choose a password encryption algorithm. Normally there is no need to change the default(Blowfish).

I could not see Blowfish option in Yast.

So the question is , if it is default, should I still have to enable it somehow? If yes then how?
If not then how do I install and enable it?

Kindly provide me the pointers. Ofcourse I will also be searching google.

Thanx in advance.

Regards,
Admin
 
Old 07-31-2020, 09:17 AM   #2
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 2,252

Rep: Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011
Are twofish or AES options? Blowfish is 27 years old. Also, Blowfish and MD5 are 2 completely separate things. MD5 is a hashing algorithm and not an encryption algorithm.
 
1 members found this post helpful.
Old 07-31-2020, 12:41 PM   #3
LinuGeek
Member
 
Registered: Jun 2008
Posts: 126

Original Poster
Rep: Reputation: 0
Okay. I know with SLES15 there are better encryption methods available SHA126 and SHA512 but the problem is, we have to support Sles12 and SuSE10 NIS Clients at the same time. So we have to find a middle solution. Hence Blowfish which is atleast better than MD5 or DES.
Just wish to have better UNIX passwords security.
 
Old 07-31-2020, 12:46 PM   #4
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 2,252

Rep: Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011
So, SHA algorithms are not encryption algorithms, they are hashing algorithms, which are completely different things. They do not encrypt, they hash, or rather create digests. These are ONE WAY and you cannot retrieve data that has been hashed. This is how you would protect passwords on a Linux system for example.

Encryption is two-way, in that once you provide a key, you can decrypt and read the encrypted text. This is how you would protect sensitive files for example.

These two terms are frequently confused but mean completely different things.
 
Old 07-31-2020, 01:16 PM   #5
LinuGeek
Member
 
Registered: Jun 2008
Posts: 126

Original Poster
Rep: Reputation: 0
Thanks for the clarification.
So what we want is secure hashing algorithm which works on both , SLES12 and SuSE10. I thought Blowfish would work on all. But somehow on SLES15 (eventhough Documentaion says it supports), I failed to enable/activate Blowfish.
 
Old 07-31-2020, 01:25 PM   #6
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 2,252

Rep: Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011
OK - what are you trying to accomplish or are you "hardening" and trying to use better algorithms for user password storage on Suse? For example, how they are stored in /etc/shadow?
 
Old 08-01-2020, 04:58 AM   #7
LinuGeek
Member
 
Registered: Jun 2008
Posts: 126

Original Poster
Rep: Reputation: 0
Hardening yes. But not for /etc/passwd . We are setting up new NIS Server on SLES15. We already have working NIS but on SuSE10. So we wish to setup a new one on latest OS. Keeping the SLES12 and SLES10 NIS Client funktionality intact.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Comparing encryption techniques RSA, Blowfish, etc? MrUmunhum Linux - Security 5 03-01-2017 08:34 AM
blowfish encryption algorithm mutwkil Linux - Security 2 06-17-2011 01:42 PM
Password Encryption: DES, MD5, Blowfish. swiadek Linux - Security 7 02-13-2006 04:27 PM
Password Encryption: DES, MD5, Blowfish. swiadek Linux - General 1 02-13-2006 05:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration