System password algorithm

Edit online

A system administrator can set a system-wide password algorithm by selecting an LPA as the password hashing algorithm. There can only be one active system password algorithm at a time. The system password algorithm is defined by the pwd_algorithm system attribute in the usw stanza in the /etc/security/login.cfg file.

The valid values for the pwd_algorithm attribute in the /etc/security/login.cfg file are LPA stanza names that are defined in the /etc/security/pwdalg.cfg file. Another valid value for the pwd_algorithm attribute is crypt, which refers to traditional crypt encryption. If the pwd_algorithm attribute is omitted from the config file, crypt is used as the default value.

The following example of the /etc/security/login.cfg file uses ssha256 LPA as the system-wide password encryption algorithm.

	... ... 
usw:         
			shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93         
			maxlogins = 32767         
			logintimeout = 60         
			maxroles = 8         
			auth_type = STD_AUTH         
			pwd_algorithm = ssha256     
	... ...

The system password algorithm takes effect only for newly created passwords and changed passwords. After the migration, all subsequent new passwords or password changes use the system password algorithm. The passwords that existed before the system password algorithm is chosen, either generated by the standard crypt function or by other supported LPA modules, still work on the system. Therefore, mixed passwords that were generated by different LPAs can coexist on the system.