# Pam & Blowfish for user auth.

## j2theb

Hello,  I'm trying to get gentoo to use blowfish encryption for users.

I have done this successfully on a SuSE system.  So, I tried to do it in gentoo the same way.  

What i've done is installed the "pam_unix2.so" module/set.  Then i've put a line inside "/etc/pam.d/passwd" to tell it to use "/lib/security/pam_unix2.so".  I've done configurations to /etc/security/pam_unix2.con in a similar way to what works withe suse.  

So, I do a "passwd $user" and it changes the password succesfully. However it is obvious that the hash in /etc/shadow is DES based.  ALSO, I get an error in /var/log/auth.log that says:

  "passwd[18993]: pam_unix2: No blowfish support compiled in"

I've looked around a bit and I can't get any definite answer on what/were to compile this support in.  

Can anyone help out?

Does anyone know a better way to do what i'm doing?

----------

## iwaldi

same here  :Confused: 

```
pam_unix2: Unknown option: `shadow'

passwd[18955]: pam_unix2: No blowfish support compiled in
```

----------

## iwaldi

OK - found a solution - libxcrypt must be installed.

----------

## j2theb

Can you be a little more specific of what you did. 

I installed libxcrypt and then re-emerged shadow and still the same issue. 

Thanx.

----------

## michaelarch

Hello,

If you're still trying to get it to work, I got it working by emerge libxcrypt and ./configure pam_unix2 and recompiling so it would find libxcrypt. For some reason, it didn't fail when it didn't find it the first time through.  I suspect that it just build the capabilities in libcrypt.  Hope this helps.  Let me know.

V/R,

Michael

----------

## trancelis

Okay, the final solition is to emerge pam_unix2 and then replace all instances of "pam_unix" with "pam_unix2" in /etc/pam.d/* files and "md5" with "blowfish" in /etc/pam.d/system-auth. It works for me and my 500 user ex-Suse now-Gentoo network  :Surprised: ) The sys-libs/pam_unix2/pam_unix2-1.19.ebuild follows:

```

# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

inherit eutils

DESCRIPTION="The pam_unix2 PAM module is for traditional password authentication. The advantages of this particular version are full SecureRPC and NIS+ support, HP-UX password aging, and password encryption with DES, bigcrypt, MD5, or blowfish. It allows the modification of user accounts in the source files for NIS maps on the NIS master server, if they are not the standard files in /etc."

HOMEPAGE="http://www.thkukuk.de/pam/pam_unix2/"

SRC_URI="ftp://ftp.suse.com/pub/people/kukuk/pam/pam_unix2/${P}.tar.bz2"

RESTRICT="nomirror"

LICENSE="BSD"

SLOT="0"

KEYWORDS="x86"

DEPEND=">=sys-libs/libxcrypt-2.0"

src_compile() {

   econf || die "bad configure"

   emake || die "compile problem"

}

src_install() {

   make DESTDIR=${D} install || die "install problem"

}

```

Hope this helps  :Smile: 

----------

## piercey

Ive run into issues with the above. I had to copy or move the pam_unix2.so module to the directory pam looks in, ie.

```

cp /usr/lib64/security/pam_unix2.so /lib64/security/

```

I then changed my password which went fine, and have tried to ssh back in again to my (external  :Sad: ) box and am getting:  

 *Quote:*   

> 
> 
> Permission denied (publickey,keyboard-interactive).
> 
> 

 

I'm not quite sure what to make of this, i tried using the "-c blowfish" switch too, but to no luck. Any ideas? I did not restart my ssh server, could that cause the problem?

----------

## trancelis

Have you altered all the required /etc/pam.d/ files ? I can give you a tarball with our server's, so you could check them all. PM me your email if you're in. 

P.S.: I'm not sure if moving stuff from /usr/lib to /lib affects anything, they're both in the $LDPATH env variable. Maybe pam is a special case with hardcoded paths ?

----------

## imp

Just to let you know, newer version of pam_unix2 exists, 1.25, dating from 03. 01. 2005. and you only need to change the name of the ebuild to build this version (I guess you knew that).

----------

