-
Notifications
You must be signed in to change notification settings - Fork 55
/
hashes.conf
57 lines (57 loc) · 3.16 KB
/
hashes.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# This file is read by expand-selected-hashes and gen-crypt-hashes-h.
# It lists, for each supported hash algorithm, the name to be used to
# enable or disable it at configure time, which is also part of the
# name used for the 'crypt_fn' and 'gensalt_fn' entry points to the
# relevant algorithm module; the prefix used to identify the algorithm
# in hash strings; the number of bytes of random data that
# crypt_gensalt should draw from the OS when its caller doesn't supply
# any; and a comma-separated list of flags.
#
# The current set of possible flags is: STRONG means the hash is still
# considered strong enough to use for newly hashed passwords; this is
# the set of hashes that will be enabled when the library is
# configured with --enable-hashes=strong. DEFAULT means that this
# hash may be used as the default for newly hashed passwords;
# when crypt_gensalt is called with a null pointer for its prefix
# argument, it will use the first hash in this file that was enabled
# and has a DEFAULT flag. Hashes that are not STRONG should never be
# marked DEFAULT. If you change the set of DEFAULT hashes you must also
# update test-gensalt.c to match.
#
# ALT, FREEBSD, GLIBC, NETBSD, OPENBSD, OSX, OWL, SOLARIS, and SUSE
# mean that the hash was historically supported by crypt() as provided
# by that operating system / C library. These are also recognized by
# --enable-hashes as sets of hashes that can be enabled.
#
# Fields are separated by whitespace. Lines beginning with # are
# ignored; # is not otherwise significant. Multiple flags are
# separated by commas. A field whose contents are a single colon (:)
# is actually understood as an empty string; colon is used for this
# purpose because it cannot be part of a hash prefix or a C identifier.
#
# Because the first DEFAULT entry that's enabled is used for new
# hashes when crypt_gensalt() is called with a null prefix, the list
# should be kept in decreasing order of cryptographic strength overall
# (this only *matters* for DEFAULT entries, but it's easier to keep
# the whole list sorted that way). Because of how crypt() checks
# prefixes, the hashes that use an empty prefix (bigcrypt and
# descrypt) must be last (conveniently, these are also the weakest
# supported hashes).
#
#name h_prefix nrbytes flags
yescrypt $y$ 16 STRONG,DEFAULT,ALT,DEBIAN,FEDORA
gost_yescrypt $gy$ 16 STRONG,ALT
scrypt $7$ 16 STRONG
bcrypt $2b$ 16 STRONG,DEFAULT,ALT,FREEBSD,NETBSD,OPENBSD,OWL,SOLARIS,SUSE
bcrypt_y $2y$ 16 STRONG,ALT,OWL,SUSE
bcrypt_a $2a$ 16 STRONG,ALT,FREEBSD,NETBSD,OPENBSD,OWL,SOLARIS,SUSE
bcrypt_x $2x$ 16 ALT,OWL,SUSE
sha512crypt $6$ 15 STRONG,DEFAULT,GLIBC,FREEBSD,SOLARIS
sha256crypt $5$ 15 GLIBC,FREEBSD,SOLARIS
sha1crypt $sha1 20 NETBSD
sunmd5 $md5 8 SOLARIS
md5crypt $1$ 9 GLIBC,FREEBSD,NETBSD,OPENBSD,SOLARIS
nt $3$ 1 FREEBSD
bsdicrypt _ 3 FREEBSD,NETBSD,OPENBSD,OSX
bigcrypt : 2 :
descrypt : 2 GLIBC,FREEBSD,NETBSD,OPENBSD,SOLARIS,OSX