Originally posted by: YuvrajN

I am writing a password reset utility on AIX (7.1.0.0) and I need to support SMD5, SSHA256, SSHA512 and BLOWFISH password hash algorithms. I have successfully implemented the code for SMD5, SSHA256 and SSHA512. However, for BLOWFISH algorithm the 'crypt' API still returns normal DES hash and not the BLOWFISH hash. I tried different prefixes in salt value - {sblowfish} {sblowfish}08$ {SBLOWFISH} {SBLOWFISH}08$. However, I still don't get blowfish hash. For, AIX 5.3 {sblowfish} prefix in salt value works and I get required hash. However, for AIX 7.1 it doesn't work.

The format for the salt value I am using is as follows -

MD5 - {smd5}<randomly generated 8 characters>$

SHA256 - {ssha256}06$<randomly generated 8 characters>$

SHA512 - {ssha512}06$<randomly generated 8 characters>$

BLOWFISH - {sblowfish}08$<randomly generated 22 characters>$

I then pass the user password and salt value to the 'crypt' API in 'C'.

crypt(password, salt);

For MD5, SHA256 and SHA512 I get the password hash which is compliant to the corresponding algorithm.

However, for BLOWFISH salt, the 'crypt' API rejects the salt and instead returns normal DES hash.

Can anybody please help out here? Thanks in advance.

Originally posted by: YannickBergeron

Which AIX 7.1 TL and SP?

What do you have in /etc/security/pwdalg.cfg ?

Can you also list the content of this folder? /usr/lib/security

Originally posted by: YuvrajN

uname -a returned this => AIX sovma141 1 7 0002A827D600

oslevel returned this => 7.1.0.0

Attached pwdalg.cfg file.

Contents of /usr/lib/security -

64               LOCAL            fpm              pam_allowroot    rbacaudconf      ssha
CC_EVALify.sh    LOCAL64          methods.cfg      pam_ckfile       risk-manager     ssha_64
KRB5             NIS              mkuser.default   pam_mkuserhome   sblowfish        tnc
KRB5_64          NIS_64           mkuser.sys       pam_permission   sblowfish_64
LDAP             PAM              pam_aix          pam_prohibit     smd5
LDAP64           acl              pam_allow        pam_rhosts_auth  smd5_64
 

'usw' stanza in /etc/security/login.cfg =>

usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
        maxlogins = 32767
        logintimeout = 60
        maxroles = 8
        auth_type = STD_AUTH
        pwd_algorithm = sblowfish
 

Attachment(s)

pwdalg.cfg   3 KB 1 version

Originally posted by: YannickBergeron

"oslevel -s" would provide a more precise oslevel (including TL and SP)

you dont seem to have the blowfish security library on your system as it's not in /usr/lib/security

On my AIX 7.1 TL2 SP3 system:

# grep -p blowfish /etc/security/pwdalg.cfg |egrep -v "^\*"
sblowfish:
        lpa_module = /usr/lib/security/sblowfish

# ls /usr/lib/security/sblow*
-r--r--r--    1 root     security     366976 Aug 26 2011  /usr/lib/security/sblowfish
-r--r--r--    1 root     security     378136 Sep 05 2012  /usr/lib/security/sblowfish_64

Originally posted by: YuvrajN

oslevel => 7100-02-01-1245

I have blowfish installed.

bash-4.2# grep -p blowfish /etc/security/pwdalg.cfg |egrep -v "^\*"
sblowfish:
        lpa_module = /usr/lib/security/sblowfish
 

bash-4.2# ls /usr/lib/security/sblow*
/usr/lib/security/sblowfish     /usr/lib/security/sblowfish_64
 

Do you know what prefix I need to use in salt value for generating blowfish hash on AIX 7.1 using crypt C API?

Below is my format for salt value on AIX 7.1

{sblowfish}08$<random 22 characters>$

Strange thing is that on AIX 5.3 using just {sblowfish}$ works well. Same prefix doesn't work on AIX 7.1. So I inspected how passwd generates the hash and found out that it used prefix as {sblowfish}08$. However, my code is still not able to generate the blowfish hash. I am wondering what is the correct prefix format for blowfish.

Please let me know if you are aware of anything related to this issue. Thank you for your help.

Originally posted by: YannickBergeron

the "08$" make some sense, fyi, I'm using ssha512 and every password hash start with {ssha512}06$

Originally posted by: YuvrajN

Right. "08$" is actually number of cost iterations for blowfish algorithm. This can very from 04 to 31. Default is 08. Not sure why it still doesn't work.