From owner-freebsd-security  Mon Sep 18 12:15: 3 2000
Delivered-To: freebsd-security@freebsd.org
Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6])
	by hub.freebsd.org (Postfix) with ESMTP id B8CE837B422
	for <freebsd-security@freebsd.org>; Mon, 18 Sep 2000 12:15:00 -0700 (PDT)
Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110])
	by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1)
	id 13b6NV-0005GP-00
	for freebsd-security@freebsd.org; Mon, 18 Sep 2000 20:14:57 +0100
Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1)
	id 13b5u7-000BfZ-00
	for freebsd-security@FreeBSD.ORG; Mon, 18 Sep 2000 19:44:35 +0100
X-Mailer: exmh version 2.0.2 2/24/98
To: freebsd-security@FreeBSD.ORG
Subject: Re: MD5 passwords vs DES 
In-reply-to: Your message of "Mon, 18 Sep 2000 10:24:58 +0300."
             <Pine.BSF.4.21.0009181017590.26927-100000@finland.ispro.net.tr> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 18 Sep 2000 19:44:34 +0100
From: David Pick <D.M.Pick@qmw.ac.uk>
Message-Id: <E13b5u7-000BfZ-00@dialup-janus.css.qmw.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


> If you dont mind the side effects you can try to compile passwd and perl
> with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to
> /usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you
> use libscrypt in your passwd and perl programs the passwords these
> programs generate will be MD5 by default. The side effect of this is that
> your users cant change their own passwords if their old password is DES
> since libscrypt doesnt understand DES and if you have perl scripts which
> does similar action they may fail. But adduser is a perl script itself so
> it would generate MD5 passwords automaticly when you add a new user.
> For passwd program its simple in its makefile just change -lcrypt lines
> with /usr/lib/libscrypt.a this should do the job I am not sure about perl.
> 
> Is this a good "temporary" solution for you?

I don't recompile anything, I just redirect the symbolic links
	libcrypt* -> libdescript*
to become
	libcrypt* -> libscrypt*
in /usr/lib/

I actually do this during system installation before creating any users so
the only DES password is the "root" password. "root" can, of course, reset
this (getting a MD5 pasword) without having anything checked against the
DES password (because it's "root" doing it).

-- 
	David Pick




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message