IBM Support

AIX: Making SHA-256 and SHA-512 passwords compatible with other OS's

Question & Answer


Question

How do I make AIX SHA-256 and SHA-512 passwords compatible with those that are generated by other Linux/Unix OS's?

Answer


TARGET AUDIENCE:

Users who want AIX to be able to recognize passwords that have been hashed on another Linux/Unix OS; for example, AIX systems who have another OS as an NIS server.

OBJECTIVE:


Provide instructions to configure AIX to have passwords compatible with other OS's.

PROCEDURES:


AIX hashes passwords in the following manner (using SHA-256 as an example) -
 

{ssha256}06$W2fCLLad8jr4JH0Y$T4HiQNYOaaaG6sy5I9JislJ709ih7k2oipHRzPlQ.kF


This breaks down into:

Identifier:

{ssha256}

This identifier is going to be a stanza that is defined in /etc/security/pwdalg.cfg; for example:

ssha256:
        lpa_module = /usr/lib/security/ssha
        lpa_options = algorithm=sha256


The next part is the 'cost'. This defaults to 6 and is ended by a dollar sign:

06$


This value can be set between 4 and 31 in pwdalg.cfg, and causes 2^cost hashing iterations to be performed when hashing the password.

The next part is the salt, which defaults to a length of 16 for SHA-256 and is ended by a dollar sign:
 

W2fCLLad8jr4JH0Y$

The salt length can also be modified in pwdalg.cfg.

Finally, we have the hashed portion of the password:

T4HiQNYOaaaG6sy5I9JislJ709ih7k2oipHRzPlQ.kF


Comparing this to another Unix OS or Linux hashed password, we would see something like:

$5$UsjqZRFo2T4pDcTz$ViA.jBK5EAOZ2PBkc4wag8GSzxzEttn6saWd1tCfcc2


This breaks down into the identifier:

$5$

The salt:

UsjqZRFo2T4pDcTz$

The hashed portion:

ViA.jBK5EAOZ2PBkc4wag8GSzxzEttn6saWd1tCfcc2


Visible differences with this style are:
1) The identifier is numeric and enclosed in dollar signs rather than curly brackets
2) It does not contain a section for cost

The name of the identifier and use of dollar signs around the identifier can be easily configured in pwdalg.cfg: you can use any identifier you like, such as '5', by creating a stanza with that identifier. You may also specify that the identifier be enclosed in dollar signs by using the lpa_option 'prefix_dollar'.

However, the more fundamental problem in the difference between AIX and other OS's password representation is that the actual hashing algorithm is different. If AIX does not know the proper algorithm to use, it will never be able to compare a user's plaintext password with the hash that is stored.

The solution to this is to install the AIX Loadable Password Algorithm (LPA) package from the AIX Web Download Pack.
You can find the AIX Loadable Password Algorithm (LPA) here:

https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=pwmod

Downloading this will provide a fileset called 'pwmod'. This can be installed with 'smitty install' or 'installp -acXgYd . pwmod'.
This puts the /usr/lib/security/lsha and lsha_64 modules in place on your system.

When this is installed, it will add the following stanzas to your /etc/security/pwdalg.cfg file:

6:
        lpa_module = /usr/lib/security/lsha
        lpa_options = algorithm=sha512,prefix_dollar

5:
        lpa_module = /usr/lib/security/lsha
        lpa_options = algorithm=sha256,prefix_dollar



Your system will now be able to recognize SHA-512 and SHA-256 passwords generated using the Linux-style hashing method.

If you would like your system to use one of these methods by default, change the pwd_algorithm value in login.cfg to specify which one you want:
 

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=5


This is not a necessary step; it is only needed if you want AIX to to use this hashing method for all newly-generated passwords. Existing passwords will still be usable with their old hashing method, but will not be converted to the new method until they have been changed. 

Prerequisite note:

One of the important things for this to be able to work with AIX is that AIX's password hashing routine needs to have support for the 'prefix_dollar' option, in order to provide the same type of prefix that Linux expects.
This was introduced in bos.rte.libc versions:

7.2.0.1    (7.2tl0-sp2)
7.2.1.0    (7.2tl1 base level)
7.1.4.1    (7.1tl4-sp2)
7.1.3.47   (7.1tl3-sp7)
6.1.9.101  (6.1tl9-sp7)

Those service packs, and everything higher (including 7.1tl5, 7.2tl2, 7.2tl3, and everything going forward) will be the only levels of AIX that this pwmod package will successfully work with.

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please open a case with IBM AIX support.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
09 May 2024

UID

isg3T1027597

Page Feedback