Directory Server 6.1 and Unix Crypt…

Sun Java System Directory Server has supported for many years the ability to hash the userPassword attribute with the crypt(3C) algorithm.

But the crypt function has evolved from the basic standard Unix crypt algorithm (which truncates password to 8 characters) to support MD5, Blowfish and other stronger algorithms.

Until Directory Server 6.1, there was very limited support for those algorithms (it happened that a password hashed with MD5 – outside DS – could be used for authentication, but the server itself would never hash a password this way).

Starting with Directory Server 6.1, there is now a way to tune the CRYPT password storage plugin to specify which crypt algorithm to use, and on Solaris only, it is even possible to delegate the choice of algorithm to the OS via the /etc/security/policy.conf (and the CRYPT_DEFAULT directive).

The way to configure with algorithm is used by the crypt library when hashing a userPassword to store in Directory Server is to add an argument to the "CRYPT password storage" plugin configuration entry.

# dsconf set-plugin-prop CRYPT argument:<Pattern>

where <Pattern> is a choice of (but not limited to):

%.2s – Default unix crypt algorithm (and the default

when no argument is defined)

$1$%.8s – bsd md5

$2a$04$%.22s – Blowfish

$md5$%.8s$ – Sun md5

If <Pattern> maps to an algorithm that is not supported by the OS (for example $2$, old variants of blowfish), then a warning message is logged and the hash will be done using the default Unix algorithm

This guarantee that the password is always hashed even if the configured salt does not match an existing algorithm.

On Solaris only, a special value of "auto" is allowed to specify that CRYPT will use the system’s default mechanism, as configured in /etc/security/policy.conf


  • Changing the plugin configuration requires a restart of Directory Server to be taken into account.
  • You should use this new capability carefully, especially in a heterogeneous and replicated environment where some algorithms might not be present or enabled.
  • Make sure that CRYPT is the password Storage mechanism defined in the Password Policy configuration (the default is SSHA).


> dsconf set-plugin-prop -p 1389 CRYPT ‘argument=$md5$%.8s$’

Enter "cn=Directory Manager" password:

Directory Server must be restarted for changes to take effect.

> dsadm restart /local/demo/ds

> dsconf get-plugin-prop -p 1389 CRYPT

Enter "cn=Directory Manager" password:

argument : $md5$%.8s$

depends-on-named :

depends-on-type :

desc : Unix crypt algorithm (CRYPT)

enabled : on

feature : crypt-password-storage-scheme

init-func : crypt_pwd_storage_scheme_init

lib-path : /opt/SUNWdsee/ds6/lib/

type : pwdstoragescheme

vendor : Sun Microsystems, Inc.

version : 6.2


Technorati Tags: , ,