GSoC/GCI Archive
Google Code-in 2010 DragonFly BSD

code: Change default password hashing from md5 to SHA2

completed by: Nagato Yuki

mentors: Alex Hornung, Samuel J. Greear

DragonFly currently still uses md5 as the default password hash for /etc/master.passwd. As md5 is considered cryptographically broken, it's about time we move on. This task will involve adding support and changing the default to using SHA2 (SHA256 and/or SHA512). SHA384 is currently not supported by libmd and is hence not usabe for this.

The steps to follow are:


  1. add support for sha2 (256, 512?) to lib/libcrypt in two new files, crypt-sha256.c and crypt-sha512.c. This is relatively trivial and just needs to use the functions provided by libmd. It also involves adapting the Makefile to these changes.
  2. modify the #define PASSWORD_HASH in lib/pam_module/pam_unix/pam_unix.c to the new hash to be used
  3. modify the default passwd_format in etc/login.conf
  4. Test it! An untested submission will not be accepted.



It is imperative that this task is handed in as a proper unified patch, either the output of git format-patch (preferred) or a manual diff -Nau. A test to see if buildworld still runs after the changes should also be performed. If any help is required, feel free to drop me a mail or ask on our IRC channel, #dragonflybsd on efnet.