From owner-freebsd-security  Tue Oct  5 14:15:49 1999
Delivered-To: freebsd-security@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 758)
	id 8ED181565F; Tue,  5 Oct 1999 14:15:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 863E01CD46D; Tue,  5 Oct 1999 14:15:25 -0700 (PDT)
	(envelope-from kris@hub.freebsd.org)
Date: Tue, 5 Oct 1999 14:15:25 -0700 (PDT)
From: Kris Kennaway <kris@hub.freebsd.org>
To: "Rashid N. Achilov" <shelton@sentry.granch.ru>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Long username/password
In-Reply-To: <Pine.BSF.4.10.9910051343340.3144-100000@sentry.granch.ru>
Message-ID: <Pine.BSF.4.10.9910051126420.82242-100000@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 5 Oct 1999, Rashid N. Achilov wrote:

> > DES *is* the default if the DES libraries are installed, unless the
> > user in question already has an MD5 password (in which case the system
> > will keep using MD5 every time he/she changes his/her password)
> 
> What can I really check, which passwd length is supported, and what can I
> revert to MD5, if need?

As DES pointed out (we really need a committer with initials MD5 just for
symmetry :-) once you have an MD5 password for your account it will remain
MD5 when you next change it. The easiest way to do this is to go to a
machine which has MD5 passwords, generate any password, and then
cut-n-paste it from /etc/master.passwd into your /etc/master.passwd. Then
you can change your password again and it will stay MD5.

Alternatively, you can generate an MD5 password by removing the
/usr/lib/libcrypt.* symlinks and repoint them to /usr/liblibscrypt - this
will temporarily switch off DES encryption, so you might want to do this
in single-user mode. Then just generate a new password using passwd(1) as
normal, and it will be MD5 since DES support is no longer enabled. Then
you can switch back on the DES libraries if you really need them.

This is kind of crufty - probably someone should just add a temporary
switch to passwd(1) which lets you choose whether to use MD5 if you have
DES installed. I have code which fixes things properly, but it's not quite
commit-worthy and I'm exiled in the land of the "free".

Kris




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message