[Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *X Windows

Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks

FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
   Click Here

Email Users5



FreeBSD Search:



Defcon1 Logo

How to switch between DES and MD5 encryption scheme in 2.2.8, 3.x, and 4.0 FreeBSD


    If there are any questions or comments, please direct them to The newest copy of this HowTo can always be retrieved
from All rights for the reproduction of this
document are reserved.


This mini-HowTo will quickly discuss the FreeBSD system encryption
libraries and how to switch between DES and MD5 encryption schemes in
2.2.8, 3.x, and 4.0 FreeBSD systems.


The FreeBSD system, by default, makes use of the MD5 encryption
scheme for passwords because of no export restriction. In addition, MD5 is
more secure than DES, which is mostly useful for backwards compatibility
where password files must be shared with other UNIX systems also using

One can easily determine which encryption scheme is being used by
checking what libraries the libcrypt[._]* links in /usr/lib are linked
against. If they are linked against libscrypt* libraries, then MD5 is
being used, and if they are linked against libdescrypt* then DES is being
used. For instance, the follows lines indicate the system they are from
uses MD5 as its password encryption scheme:

(lasker@nu)/usr/lib>% ls -l libcrypt[._]*
lrwxr-xr-x 1 root wheel    11 Jun 9 06:18 /usr/lib/libcrypt.a@ ->
lrwxr-xr-x 1 root wheel    12 Jun 9 06:19 /usr/lib/ ->
lrwxr-xr-x 1 root wheel    14 Jun 9 06:21 /usr/lib/ ->
lrwxr-xr-x 1 root wheel    13 Jun 9 06:22 /usr/lib/libcrypt_p.a@ ->

Switching Libraries.

It is strongly recommended that the MD5 libraries be used instead
of DES whenever possible. As such, it may be necessary to switch libraries
if one has installed a system with DES encryption. This can be easily
accomplished by deleting the libcrypt[._]* links and recreating them by
linking them against the appropriate libraries, which are, simply,
libraries with the same name except with an 's' where there is 'des' in
each of their names. Following is a convenient table for sorting out the
encryption libraries:




A system using DES can still authenticate passwords encrypted in
MD5 as the MD5 hash is used in DES, however, not the other way around. One
can quickly check how a password has been encrypted by looking into
/etc/master.passwd. MD5 passwords are twice as long as DES passwords and
invariably begin with the string "$1$". For this, MD5 and DES passwords
can be easily identified. If one has a mixed batch of passwords encrypted
with both schemes it may be better to stay with the DES encryption
libraries, unless one can unproblematically re-encrypt all passwords in
the MD5 scheme.


man 9 MD5
man 1 bdes
man 1 md5



Email Us

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.