WARNING: using method below will lock yourself out when using emergency console since whatever crypt it’s using surely doesn’t understand bcrypt (as I experienced myself). Additionally, this solution won’t add bcrypt support to other applications using crypt interface like proftpd unless it’s started by preloading libxcrypt.so first (also from my own experience).
As much as Drepper want to pretend
bcrypt is wrong solution, it actually gives one benefit: ease of switch to Linux. Some systems use
bcrypt by default or configurable to use it. On other case, there might be time where you need system’s (or applications using system’s)
crypt to handle
bcrypt passwords from external system (usually web applications).
It’s quite difficult to enable bcrypt support in RHEL based distro as there is no
pam_unix2 packages available. Thankfully it’s available in Debian (and derivatives) in package
The README.Debian says to modify files in
/etc/pam.d but if I remember it correctly, it confused apt PAM handling system or whatever. Fast forward few weeks, I discovered a better way to use it by creating PAM configuration in
/usr/share/pam-configs. Since it’s mostly equivalent to normal
pam_unix, I just copy and modify the file using this (long-ass) oneliner sed:
sed -e 's/pam_unix.so/pam_unix2.so/g;s/^Name: Unix authentication$/Name: Unix2 authentication/;s/pam_unix2.so obscure sha512/pam_unix2.so obscure blowfish rounds=8/;s/ nullok_secure//' /usr/share/pam-configs/unix > /usr/share/pam-configs/unix2
pam-auth-update, select Unix2 authentication and deselect Unix authentication. Don’t forget to update passwords for all other users as well or they won’t be able to login since
pam_unix2 doesn’t recognize sha based hashes.
Actually, change all other users password to use md5 first before replacing the PAM with
Update 2012-04-01: Removed
nullok_secure since it isn’t supported.
Update 2012-06-09: Added warning.