IBM Support

AIX: Making SHA-256 and SHA-512 passwords compatible with other OS's

Question & Answer


Question

How do I make AIX SHA-256 and SHA-512 passwords compatible with those that are generated by other Linux/Unix OS's?

Answer


TARGET AUDIENCE:

Users who want AIX to be able to recognize passwords that have been hashed on another Linux/Unix OS; for example, AIX systems who have another OS as an NIS server.

OBJECTIVE:


Provide instructions to configure AIX to have passwords compatible with other OS's.

PROCEDURES:


AIX hashes passwords in the following manner (using SHA-256 as an example) -
 

{ssha256}06$W2fCLLad8jr4JH0Y$T4HiQNYOaaaG6sy5I9JislJ709ih7k2oipHRzPlQ.kF


This breaks down into:

Identifier:

{ssha256}

This identifier is going to be a stanza that is defined in /etc/security/pwdalg.cfg; for example:

ssha256:
        lpa_module = /usr/lib/security/ssha
        lpa_options = algorithm=sha256


The next part is the 'cost'. This defaults to 6 and is ended by a dollar sign:

06$


This value can be set between 4 and 31 in pwdalg.cfg, and causes 2^cost hashing iterations to be performed when hashing the password.

The next part is the salt, which defaults to a length of 16 for SHA-256 and is ended by a dollar sign:
 

W2fCLLad8jr4JH0Y$

The salt length can also be modified in pwdalg.cfg.

Finally, we have the hashed portion of the password:

T4HiQNYOaaaG6sy5I9JislJ709ih7k2oipHRzPlQ.kF


Comparing this to another Unix OS or Linux hashed password, we would see something like:

$5$UsjqZRFo2T4pDcTz$ViA.jBK5EAOZ2PBkc4wag8GSzxzEttn6saWd1tCfcc2


This breaks down into the identifier:

$5$

The salt:

UsjqZRFo2T4pDcTz$

The hashed portion:

ViA.jBK5EAOZ2PBkc4wag8GSzxzEttn6saWd1tCfcc2


Visible differences with this style are:
1) The identifier is numeric and enclosed in dollar signs rather than curly brackets
2) It does not contain a section for cost

The name of the identifier and use of dollar signs around the identifier can be easily configured in pwdalg.cfg: you can use any identifier you like, such as '5', by creating a stanza with that identifier. You may also specify that the identifier be enclosed in dollar signs by using the lpa_option 'prefix_dollar'.

However, the more fundamental problem in the difference between AIX and other OS's password representation is that the actual hashing algorithm is different. If AIX does not know the proper algorithm to use, it will never be able to compare a user's plaintext password with the hash that is stored.

There is a solution, though. A note regarding using Linux-style password hashing is located here:

https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.rnbase720/rnbase720.htm#sha256

It says:

"Linux SHA-256 and SHA-512 password cryptographic algorithm

A Loadable Password Algorithm (LPA) model is available that supports the Linux SHA-256 and SHA-512 password cryptographic algorithm. The Linux SHA-256 and SHA-512 password cryptographic algorithm is supported by other operating systems and was published in the public domain by Ulrich Drepper (https://www.akkadia.org/drepper/SHA-crypt.txt).

The LPA model is included in the pwmod Licensed Program Product (LPP) package. You can get the pwmod package from the AIX Web Download Pack website."


At the Web Download Pack site, you can find the AIX Loadable Password Algorithm (LPA):

https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=pwmod

Choose to download this, and it will download a package called 'pwmod'. This package can be installed with 'smitty install'.
This puts the /usr/lib/security/lsha and lsha_64 modules in place on your system.

Modify your pwdalg.cfg to have a stanza called '5':
 

5:
        lpa_module = /usr/lib/security/lsha
        lpa_options = algorithm=sha256,prefix_dollar



Your system will now be able to recognize SHA-256 passwords generated using the Linux-style hashing method.

For Linux-style SHA-512, add a stanza called '6':
 

6:
        lpa_module = /usr/lib/security/lsha
        lpa_options = algorithm=sha512,prefix_dollar




At this point, AIX will now be able to understand passwords hashed using the Linux-style SHA-256 or SHA-512 ('5' or '6') methods.


If you would like your system to use one of these methods by default, change the pwd_algorithm value in login.cfg to specify which one you want:
 

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=5


This is not a necessary step; it is only needed if you want AIX to to use this hashing method for all newly-generated passwords. Existing passwords will still be usable with their old hashing method, but will not be converted to the new method until they have been changed. 

Prerequisite note:

One of the important things for this to be able to work with AIX is that AIX's password hashing routine needs to have support for the 'prefix_dollar' option, in order to provide the same type of prefix that Linux expects.
The support for this is fairly new to AIX - it was introduced in bos.rte.libc versions:

7.2.0.1    (7.2tl0-sp2)
7.2.1.0    (7.2tl1 base level)
7.1.4.1    (7.1tl4-sp2)
7.1.3.47   (7.1tl3-sp7)
6.1.9.101  (6.1tl9-sp7)

Those service packs, and everything higher (including 7.1tl5, 7.2tl2, 7.2tl3, and everything going forward) will be the only levels of AIX that this pwmod package will successfully work with.


REFERENCES:


CATEGORY:

WWLIB

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a service request (PMR) for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your support call will confirm that you have completed these steps.

 a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation

c.  Contact IBM to open a support call (PMR):


d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your support call (PMR):

Please visit this web page for instructions:  https://www.secure.ecurep.ibm.com/app/upload

FEEDBACK:

Quality documentation is important to IBM and its customers.  If you have feedback specific to this article, please send an detailed message to the email address:

  • aix_feedback@wwpdl.vnet.ibm.com

  • - This email address is monitored for feedback purposes only. 
    - No support for any IBM products or services will be provided through this email. 
    - To receive support, please follow the step-by-step instructions in the above "SUPPORT" section.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
01 March 2022

UID

isg3T1027597