Enable blowfish-based hash support for crypt

Question

How do I enable crypt_blowfish support for shadowed passwords and PHP on a Linux (Debian) server?

I'm referring to the OpenBSD-style Blowfish-based bcrypt, known in PHP as CRYPT_BLOWFISH.

As far as I know there is no Debian package for it, what other options do I have to enable this hashing algorithm for PHP?

Note:
PHP's crypt() fuction interfaces relatively directly with the C-library crypt(3) function provided by the underlying operating system.

Update
Package-naming is not as clear as it could (should) be.
The PEAR Crypt_Blowfish package is a drop-in replacement for PHP's MCrypt extension, allowing for quick two-way blowfish encryption.

Also the Debian BCrypt package is also an implementation of the 'normal' two-way blowfish algorithm.

What I'm looking for is the Bcrypt-hash implementation for hashing passwords.

Didn't know you could have a higher bounty on a question then your current rep. Interesting. — Copas, May 23 '09 at 20:49
Rep is deducted immediately, so he had ~200 rep and now has ~50. — ceejayoz, May 24 '09 at 03:51
Looks like there's a native implementation of blowfish in crypt() in php 5.3 and up, which is convenient. — Kzqai, Mar 02 '11 at 01:25
The pear crypt_blowfish package is the 'normal' two-way blowfish encryption algorithm. I'm looking for the blowfish-based hashing algorithm. — Jacco, May 21 '09 at 10:34

score 10 · Accepted Answer · edited Dec 02 '15 at 02:02

10

The package you need to install in debian is libpam-unix2.

Then you will have to edit the following files under /etc/pam.d/, and change all pam_unix.so usage to pam_unix2.so:

common-account
common-auth
common-password
common-session

Finally, edit common-password file and replace "md5" parameter with "blowfish".

Passwords that are updated after these modifications are made will be hashed using blowfish. Existing shadow passwords are not modified. Source

To use blowfish in PHP, you provide a blowfish salt to crypt(). Like this:

crypt('sting', '$2a$07$' . substr('saltsaltsalt', 0, CRYPT_SALT_LENGTH) )

You should first check if CRYPT_BLOWFISH==1. And you'll need to use a long enough salt, which is equal to (or greater than) 22 characters. Source

edited Dec 02 '15 at 02:02

Tom Zych

202
1
7

answered May 23 '09 at 23:16

hayalci

3,611
3
25
37

Hmmm, after making those changes, CRYPT_BLOWFISH still doesn't equal 1, for some reason. – Kzqai Aug 05 '11 at 15:57
1

A caveat: if your version of pam_unix2 doesn't support the hashing algorithm currently used for a user's password, that user may not be able to log in. I think that's what I ran into on my Debian box; some accounts were using SHA512 and could not log in, but an account that used MD5 could. You can set those passwords from root, because `passwd` doesn't ask for the old password when run from root. **Important: keep your root session open until you're sure you can log in again!** – Tom Zych Dec 02 '15 at 03:17

Enable blowfish-based hash support for crypt

1 Answers1

Linked