It's one-way encryption. Useful for validating the integrity/correctness of data. In this case it is nice for making sure that a password is correct.
That being said I don't really understand the point of using blowfish in this context. It's a general purpose cypher were you are suppose to be able to decrypt the information being encrypted. So this means that if you are able to obtain the key used to encrypt the password data stored in the shadow file then you can recover the password.
This is technically impossible to do with sha256 even if you wanted to. All the data used to encrypt the password can be present on the host system (except the password itself) and it is still impossible for a person with physical access to recover it. The only chance they have is to brute force it or have the user type it into a compromised system.
It's generally a bad idea to have a system were it is actually possible for a administrator to recover a password, if that is the idea. This opens up all sorts of liability and auditing problems. Just a bad idea.
So this seems bad. Unless the shadow files in each directory serve a slightly different purpose then before. I am probably missing something important here.
Basically if the authors feel that sha256 can't be trusted for hashing, then they need to find a different approach. Or they are using Blowfish in a different manner then I understood it to be used.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds