How do I enable crypt_blowfish support for shadowed passwords and PHP on a Linux (Debian) server?
I'm referring to the OpenBSD-style Blowfish-based bcrypt, known in PHP as CRYPT_BLOWFISH.
As far as I know there is no Debian package for it, what other options do I have to enable this hashing algorithm for PHP?
Note:
PHP's crypt() fuction interfaces relatively directly with the C-library crypt(3) function provided by the underlying operating system.
Update
Package-naming is not as clear as it could (should) be.
The PEAR Crypt_Blowfish package is a drop-in replacement for PHP's MCrypt extension, allowing for quick two-way blowfish encryption.
Also the Debian BCrypt package is also an implementation of the 'normal' two-way blowfish algorithm.
What I'm looking for is the Bcrypt-hash implementation for hashing passwords.
The package you need to install in debian is
libpam-unix2
.Then you will have to edit the following files under
/etc/pam.d/
, and change allpam_unix.so
usage topam_unix2.so
:Finally, edit
common-password
file and replace "md5" parameter with "blowfish".Passwords that are updated after these modifications are made will be hashed using blowfish. Existing shadow passwords are not modified. Source
To use blowfish in PHP, you provide a blowfish salt to
crypt()
. Like this:You should first check if CRYPT_BLOWFISH==1. And you'll need to use a long enough salt, which is equal to (or greater than) 22 characters. Source