From owner-freebsd-security Mon May 19 03:34:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA13835 for security-outgoing; Mon, 19 May 1997 03:34:47 -0700 (PDT) Received: from trifork.gu.net (trifork.gu.net [194.93.190.194]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA13830; Mon, 19 May 1997 03:34:42 -0700 (PDT) Received: from localhost (localhost.gu.kiev.ua [127.0.0.1]) by trifork.gu.net (8.8.5/8.8.5) with SMTP id NAA09030; Mon, 19 May 1997 13:35:45 +0300 (EEST) Date: Mon, 19 May 1997 13:35:45 +0300 (EEST) From: Andrew Stesin Reply-To: stesin@gu.net To: questions@freebsd.org, security@freebsd.org Subject: A quick question on dual-personality crypt(3) and passwd(1) Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, sorry if it's documented somewhere and I wasn't patient enough to dig it up and read myself; I have a question. What I did: 1. installed RELENG_2_2 system (got $1$-style crypt(3), Ok) 2. installed international-DES distribution over it, and what I got: -- if encrypted password is $1$-style, passwd(1) preserves this. -- if encrypted password is "plain old DES", brought from old BSD/OS system, passwd(1) preserves this, too. -- if the account is fresh new and/or has no password, passwd(1) does plain-DES encryption by default. That's not what I meant (and wanted to get)... I had an idea to bring in old passwd database from old system, old-DES-style; but have passwd(1) to use either $1$- or ext-DES ('_'-style) encryption later with no regard to whatever was used for this password earlier. So that old user will launch passwd(1), which in turn will understand her old DES password, but will replace it with the new one encrypted by a new encryption scheme. So the question: do I need to hack passwd(1) to get this done transparently? Or there are some other options around? And while here already, a call for expert opinions: which encryption scheme is considered to be harder to crack (with regard to UNIX passwords) -- $1$-style MD5 scheme or "extended DES", '_'-style scheme? Thanks for your time and attention! Best regards, Andrew Stesin nic-hdl: ST73-RIPE