Date: Sun, 11 Nov 2001 06:10:03 -0800 (PST) From: Martin Heinen <martin@sumuk.de> To: freebsd-doc@freebsd.org Subject: Re: docs/31899: Markup changes for chapter Security Message-ID: <200111111410.fABEA3N07972@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/31899; it has been noted by GNATS.
From: Martin Heinen <martin@sumuk.de>
To: Tom Hukins <tom@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: docs/31899: Markup changes for chapter Security
Date: Sun, 11 Nov 2001 15:06:54 +0100
--5G06lTa6Jq83wMTw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Sat, Nov 10, 2001 at 05:27:14PM +0000, Tom Hukins wrote:
> On Sat, Nov 10, 2001 at 03:19:43PM +0100, Martin Heinen wrote:
> > <para>If you have installed the DES-capable crypt library
> > - <filename>libdescrypt</filename> (e.g. by installing the
> > - "crypto" distribution), then which password format will be used
> > - for new passwords is controlled by the
> > - <quote>passwd_format</quote> login capability in
> > - <filename>/etc/login.conf</filename>, which takes values of
> > - either <quote>des</quote> or <quote>md5</quote>. See the
> > - &man.login.conf.5; manual page for more information about login
> > - capabilities.</para>
>
> Rather than fixing this by modifying the quotes, shouldn't this be
> totally updated? We don't have a "crypto" distribution any more, so we
> should specify what happens by default and explain how to change it.
second uups, in the future I will read the relase notes more
thoroughly. The attached diff reformulates the section, but I'm
not sure if I got this right, especially I don't know when /etc/auth.conf
is used. Maybe someone else can shed more light on this.
Should I open a new PR for this issue?
Martin
--
Marxpitn
--5G06lTa6Jq83wMTw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="sec.auth.diff"
Index: chapter.sgml
===================================================================
RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.96
diff -u -r1.96 chapter.sgml
--- chapter.sgml 2001/10/29 11:02:50 1.96
+++ chapter.sgml 2001/11/11 13:33:53
@@ -978,50 +978,35 @@
<sect2>
<title>Recognizing Your Crypt Mechanism</title>
+ <para>Before FreeBSD 4.4 <filename>libcrypt.a</filename> was a
+ symbolic link pointing to the library which was used for
+ encryption. FreeBSD 4.4 changed <filename>libcrypt.a</filename> to
+ provide a configurable password authentication hash library.
+ Currently the library supports DES, MD5 and Blowfish hash
+ functions. By default FreeBSD uses MD5 to encrypt
+ passwords.</para>
+
<para>It is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the <filename>/etc/master.passwd</filename> file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
- <literal>$1$</literal>. DES password strings do not
+ <literal>$1$</literal>. Passwords starting with
+ <literal>$2$</literal> are encrypted with the
+ Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the <literal>$</literal>
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.</para>
-
- <para>The libraries can identify the passwords this way as well.
- As a result, the DES libraries are able to identify MD5
- passwords, and use MD5 to check passwords that were encrypted
- that way, and DES for the rest. They are able to do this
- because the DES libraries also contain MD5. Unfortunately, the
- reverse is not true, so the MD5 libraries cannot authenticate
- passwords that were encrypted with DES.</para>
-
- <para>Identifying which library is being used by the programs on
- your system is easy as well. Any program that uses crypt is linked
- against libcrypt, which for each type of library is a symbolic link
- to the appropriate implementation. For example, on a system using
- the DES versions:</para>
-
- <screen>&prompt.user; <userinput>ls -l /usr/lib/libcrypt*</userinput>
-lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a
-lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0
-lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.a</screen>
- <para>On a system using the MD5-based libraries, the same links will
- be present, but the target will be <filename>libscrypt</filename>
- rather than <filename>libdescrypt</filename>.</para>
+ <para>Which password format will be used for new passwords is
+ controlled by the <quote>passwd_format</quote> login capability in
+ <filename>/etc/login.conf</filename>, which takes values of
+ <quote>des</quote> or <quote>md5</quote> or <quote>blf</quote>.
+ See the &man.login.conf.5; manual page for more information about
+ login capabilities.</para>
- <para>If you have installed the DES-capable crypt library
- <filename>libdescrypt</filename> (e.g. by installing the
- "crypto" distribution), then which password format will be used
- for new passwords is controlled by the
- <quote>passwd_format</quote> login capability in
- <filename>/etc/login.conf</filename>, which takes values of
- either <quote>des</quote> or <quote>md5</quote>. See the
- &man.login.conf.5; manual page for more information about login
- capabilities.</para>
</sect2>
</sect1>
--5G06lTa6Jq83wMTw--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111111410.fABEA3N07972>