crypt.html

来自「FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主」· HTML 代码 · 共 121 行

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>DES, MD5, and Crypt</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="确保FreeBSD的安全" href="securing-freebsd.html" />
<link rel="NEXT" title="One-time Passwords" href="one-time-passwords.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="securing-freebsd.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="one-time-passwords.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="CRYPT" name="CRYPT">10.4. DES, MD5, and Crypt</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Parts rewritten and updated by</span> Bill
Swingle.</i> 

<p>Every user on a <span class="TRADEMARK">UNIX</span>&reg; system has a password
associated with their account. It seems obvious that these passwords need to be known
only to the user and the actual operating system. In order to keep these passwords
secret, they are encrypted with what is known as a ``one-way hash'', that is, they can
only be easily encrypted but not decrypted. In other words, what we told you a moment ago
was obvious is not even true: the operating system itself does not <span
class="emphasis"><i class="EMPHASIS">really</i></span> know the password. It only knows
the <span class="emphasis"><i class="EMPHASIS">encrypted</i></span> form of the password.
The only way to get the ``plain-text'' password is by a brute force search of the space
of possible passwords.</p>

<p>Unfortunately the only secure way to encrypt passwords when <span
class="TRADEMARK">UNIX</span> came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in the US, but since the source
code for DES could not be exported outside the US, FreeBSD had to find a way to both
comply with US law and retain compatibility with all the other <span
class="TRADEMARK">UNIX</span> variants that still used DES.</p>

<p>The solution was to divide up the encryption libraries so that US users could install
the DES libraries and use DES but international users still had an encryption method that
could be exported abroad. This is how FreeBSD came to use MD5 as its default encryption
method. MD5 is believed to be more secure than DES, so installing DES is offered
primarily for compatibility reasons.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN10965" name="AEN10965">10.4.1. Recognizing Your Crypt
Mechanism</a></h2>

<p>Before FreeBSD&nbsp;4.4 <tt class="FILENAME">libcrypt.a</tt> was a symbolic link
pointing to the library which was used for encryption. FreeBSD&nbsp;4.4 changed <tt
class="FILENAME">libcrypt.a</tt> to provide a configurable password authentication hash
library. Currently the library supports DES, MD5 and Blowfish hash functions. By default
FreeBSD uses MD5 to encrypt passwords.</p>

<p>It is pretty easy to identify which encryption method FreeBSD is set up to use.
Examining the encrypted passwords in the <tt class="FILENAME">/etc/master.passwd</tt>
file is one way. Passwords encrypted with the MD5 hash are longer than those encrypted
with the DES hash and also begin with the characters <var class="LITERAL">$1$</var>.
Passwords starting with <var class="LITERAL">$2$</var> are encrypted with the Blowfish
hash function. DES password strings do not have any particular identifying
characteristics, but they are shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the <var class="LITERAL">$</var> character, so a
relatively short string which does not begin with a dollar sign is very likely a DES
password.</p>

<p>The password format used for new passwords is controlled by the <var
class="LITERAL">passwd_format</var> login capability in <tt
class="FILENAME">/etc/login.conf</tt>, which takes values of <var
class="LITERAL">des</var>, <var class="LITERAL">md5</var> or <var
class="LITERAL">blf</var>. See the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">login.conf</span>(5)</span> manual page for more information about
login capabilities.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="securing-freebsd.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="one-time-passwords.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">确保FreeBSD的安全</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">One-time Passwords</td>
</tr>
</table>
</div>
</body>
</html>