Sometimes it is necessary to be sure that a user is authorized to use some service a machine provides—for instance, to log in as a particular user id (see Users and Groups). One traditional way of doing this is for each user to choose a secret passphrase; then, the system can ask someone claiming to be a user what the user's passphrase is, and if the person gives the correct passphrase then the system can grant the appropriate privileges. (Traditionally, these were called “passwords,” but nowadays a single word is too easy to guess.)
Programs that handle passphrases must take special care not to reveal them to anyone, no matter what. It is not enough to keep them in a file that is only accessible with special privileges. The file might be “leaked” via a bug or misconfiguration, and system administrators shouldn't learn everyone's passphrase even if they have to edit that file for some reason. To avoid this, passphrases should also be converted into one-way hashes, using a one-way function, before they are stored.
A one-way function is easy to compute, but there is no known way to compute its inverse. This means the system can easily check passphrases, by hashing them and comparing the result with the stored hash. But an attacker who discovers someone's passphrase hash can only discover the passphrase it corresponds to by guessing and checking. The one-way functions are designed to make this process impractically slow, for all but the most obvious guesses. (Do not use a word from the dictionary as your passphrase.)
The GNU C Library provides an interface to four one-way functions, based on the SHA-2-512, SHA-2-256, MD5, and DES cryptographic primitives. New passphrases should be hashed with either of the SHA-based functions. The others are too weak for newly set passphrases, but we continue to support them for verifying old passphrases. The DES-based hash is especially weak, because it ignores all but the first eight characters of its input.
Preliminary: | MT-Unsafe race:crypt | AS-Unsafe corrupt lock heap dlopen | AC-Unsafe lock mem | See POSIX Safety Concepts.
The function
cryptconverts a passphrase string, phrase, into a one-way hash suitable for storage in the user database. The string that it returns will consist entirely of printable ASCII characters. It will not contain whitespace, nor any of the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’.The salt parameter controls which one-way function is used, and it also ensures that the output of the one-way function is different for every user, even if they have the same passphrase. This makes it harder to guess passphrases from a large user database. Without salt, the attacker could make a guess, run
crypton it once, and compare the result with all the hashes. Salt forces the attacker to make separate calls tocryptfor each user.To verify a passphrase, pass the previously hashed passphrase as the salt. To hash a new passphrase for storage, set salt to a string consisting of a prefix plus a sequence of randomly chosen characters, according to this table:
One-way function Prefix Random sequence SHA-2-512 ‘$6$’ 16 characters SHA-2-256 ‘$5$’ 16 characters MD5 ‘$1$’ 8 characters DES ‘’ 2 characters In all cases, the random characters should be chosen from the alphabet
./0-9A-Za-z.With all of the hash functions except DES, phrase can be arbitrarily long, and all eight bits of each byte are significant. With DES, only the first eight characters of phrase affect the output, and the eighth bit of each byte is also ignored.
cryptcan fail. Some implementations returnNULLon failure, and others return an invalid hashed passphrase, which will begin with a ‘*’ and will not be the same as salt. In either case,errnowill be set to indicate the problem. Some of the possible error codes are:
EINVAL- salt is invalid; neither a previously hashed passphrase, nor a well-formed new salt for any of the supported hash functions.
EPERM- The system configuration forbids use of the hash function selected by salt.
ENOMEM- Failed to allocate internal scratch storage.
ENOSYSEOPNOTSUPP- Hashing passphrases is not supported at all, or the hash function selected by salt is not supported. The GNU C Library does not use these error codes, but they may be encountered on other operating systems.
cryptuses static storage for both internal scratchwork and the string it returns. It is not safe to callcryptfrom multiple threads simultaneously, and the string it returns will be overwritten by any subsequent call tocrypt.
cryptis specified in the X/Open Portability Guide and is present on nearly all historical Unix systems. However, the XPG does not specify any one-way functions.
cryptis declared in unistd.h. The GNU C Library also declares this function in crypt.h.
Preliminary: | MT-Safe | AS-Unsafe corrupt lock heap dlopen | AC-Unsafe lock mem | See POSIX Safety Concepts.
The function
crypt_ris a thread-safe version ofcrypt. Instead of static storage, it uses the memory pointed to by its data argument for both scratchwork and the string it returns. It can safely be used from multiple threads, as long as different data objects are used in each thread. The string it returns will still be overwritten by another call with the same data.data must point to a
struct crypt_dataobject allocated by the caller. All of the fields ofstruct crypt_dataare private, but before one of these objects is used for the first time, it must be initialized to all zeroes, usingmemsetor similar. After that, it can be reused for many calls tocrypt_rwithout erasing it again.struct crypt_datais very large, so it is best to allocate it withmallocrather than as a local variable. See Memory Allocation.
crypt_ris a GNU extension. It is declared in crypt.h, as isstruct crypt_data.
The following program shows how to use crypt the first time a
passphrase is entered. It uses getentropy to make the salt as
unpredictable as possible; see Unpredictable Bytes.
#include <stdio.h>
#include <unistd.h>
#include <crypt.h>
int
main(void)
{
unsigned char ubytes[16];
char salt[20];
const char *const saltchars =
"./0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz";
char *hash;
int i;
/* Retrieve 16 unpredictable bytes from the operating system. */
if (getentropy (ubytes, sizeof ubytes))
{
perror ("getentropy");
return 1;
}
/* Use them to fill in the salt string. */
salt[0] = '$';
salt[1] = '5'; /* SHA-256 */
salt[2] = '$';
for (i = 0; i < 16; i++)
salt[3+i] = saltchars[ubytes[i] & 0x3f];
salt[3+i] = '\0';
/* Read in the user's passphrase and hash it. */
hash = crypt (getpass ("Enter new passphrase: "), salt);
if (!hash || hash[0] == '*')
{
perror ("crypt");
return 1;
}
/* Print the results. */
puts (hash);
return 0;
}
The next program demonstrates how to verify a passphrase. It checks a hash hardcoded into the program, because looking up real users' hashed passphrases may require special privileges (see User Database). It also shows that different one-way functions produce different hashes for the same passphrase.
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <crypt.h>
/* ‘GNU's Not Unix’ hashed using SHA-256, MD5, and DES. */
static const char hash_sha[] =
"$5$DQ2z5NHf1jNJnChB$kV3ZTR0aUaosujPhLzR84Llo3BsspNSe4/tsp7VoEn6";
static const char hash_md5[] = "$1$A3TxDv41$rtXVTUXl2LkeSV0UU5xxs1";
static const char hash_des[] = "FgkTuF98w5DaI";
int
main(void)
{
char *phrase;
int status = 0;
/* Prompt for a passphrase. */
phrase = getpass ("Enter passphrase: ");
/* Compare against the stored hashes. Any input that begins with
‘GNU's No’ will match the DES hash, but the other two will
only match ‘GNU's Not Unix’. */
if (strcmp (crypt (phrase, hash_sha), hash_sha))
{
puts ("SHA: not ok");
status = 1;
}
else
puts ("SHA: ok");
if (strcmp (crypt (phrase, hash_md5), hash_md5))
{
puts ("MD5: not ok");
status = 1;
}
else
puts ("MD5: ok");
if (strcmp (crypt (phrase, hash_des), hash_des))
{
puts ("DES: not ok");
status = 1;
}
else
puts ("DES: ok");
return status;
}