Updating and Downgrading the local-user Database
Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved
in the local-user database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2)
is now used to derive a key of given length, based on entered data, salt and number of iterations. Local-user
account passwords are hashed using the PBKDF2 method with a randomly generated salt coupled with a large
number of iterations to make password storage more secure.
When upgrading to release 20.0, existing user passwords in the local-user database are not automatically
upgraded from MD5 to PBKDF2 hashing (only hashed password values are stored). Since hash functions are
one-way, it is not possible to derive user passwords from the stored hash values. Thus it is not possible to
convert existing hashed passwords to strongly hashed passwords automatically.
To update the database, a Security Administrator must run the Exec mode
update local-user database
CLI
command. When this command is executed, StarOS reads the database from the /flash directory, reconstructs
the database in the new format, and writes it back to the disk.
The database upgrade process does not automatically convert MD5 hashed passwords into the PBKDF2
format. StarOS continues to authenticate users using the old encryption algorithm. It flags the users using the
old encryption algorithm with a "Weak Hash" flag. This flag appears in the output of the
show local-user
[verbose]
Exec mode CLI command. When users re-login with their credentials, StarOS verifies the entered
password using the MD5 algorithm, then creates a new hash using the PBKDF2 algorithm and then saves the
result in the database. StarOS then clears the "Weak Hash" flag for that user.
Since hash functions are one-way, it is not possible to convert PBKDF2 hashed passwords to the MD5
format. The local-user database must be downgraded prior to reverting to StarOS releases prior to 20.0.
Important
To downgrade the local-user database to use the MD5 hash algorithm, a Security Administrator must run the
Exec mode
downgrade local-user database
command. StarOS prompts for confirmation and requests the
Security Administrator to reenter a password. The entered password re-authenticates the user prior to executing
the downgrade command. After verification, the password is hashed using the appropriate old/weak encryption
algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security
Administrator.
The downgrade process does not convert PBKDF2 hashed passwords to MD5 format. The downgrade process
re-reads the database (from the /flash directory), reconstructs the database in the older format, and writes it
back to the disk. Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm, and
earlier StarOS releases cannot parse the PBKDF2 encryption algorithm, StarOS suspends all those users
encrypted via the PBKDF2 algorithm. Users encrypted via the MD5 algorithm ("Weak Hash" flag) can continue
to login with their credentials. After the system comes up with the earlier StarOS release, suspended users
can be identified in the output of the
show local-user [verbose]
command.
To reactivate suspended users a Security Administrator can:
•
Set temporary passwords for suspended users, using the Exec mode
password change local-user
username
command.
•
Reset the suspend flag for users, using the Configuration mode
no suspend local-user username
command.
ASR 5500 System Administration Guide, StarOS Release 21.5
38
System Settings
Configuring Local-User Administrative Users