Authentication on Grex is handled using the standard tools that come with the OpenBSD operating system. In particular, we use the OpenBSD bcrypt(3) hashing algorithm, and the standard 4.4BSD /etc/master.passwd database and its Berkeley DB counterparts, all managed using the tools that come with the base operating system.

In the past, however, authentication on Grex was very complex. Grex used a proprietary algorithm and format for its hashed passwords and used a heavily modified version of the software that maintains the Unix /etc/passwd file under SunOS. Special tools had to be used to work on the password database, which was very inconvenient. See the old staff notes for more information,

When Grex moved to OpenBSD from SunOS, it was decided that it was too much effort to maintain support for the custom hashing algorithm that had been used for passwords on Grex. So, the system was migrated to use the standard OpenBSD algorithm and tools instead.

Migrating from the old system to the new system was remarkably easy, but time consuming. Since passwords are hashed in a format that is difficult to invert, we could not simply "decrypt" them and rehash them using bcrypt(3). Further, we knew that asking every user on Grex to change his or her password simply would not work.

So, we came up with a different plan. The program that creates new accounts on Grex was modified to use the OpenBSD algorithm, and then the passwd(1) program was updated to always use bcrypt when a user changed his or her their password. Finally, the program that authenticates a user's password was modified so that, if it detected that a password was hashed with the old format, it would rehash the password (which it had access to) in the new format and update the database accordingly.

The bulk of users had been migrated to the OpenBSD algorithm over the course of about six months; picking up the rest of the stragglers took about a year. Grex is now free of the proprietary algorithm, account maintenance is much easier, and upgrades are simpler.