From owner-freebsd-security@FreeBSD.ORG  Mon Feb  1 13:25:51 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CA0111065676
	for <freebsd-security@freebsd.org>;
	Mon,  1 Feb 2010 13:25:51 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 87F1D8FC0A
	for <freebsd-security@freebsd.org>;
	Mon,  1 Feb 2010 13:25:51 +0000 (UTC)
Received: from ds4.des.no (des.no [84.49.246.2])
	by smtp.des.no (Postfix) with ESMTP id 953681FFC22;
	Mon,  1 Feb 2010 13:25:50 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 6EF1384498; Mon,  1 Feb 2010 14:25:50 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Dan Lukes <dan@obluda.cz>
References: <20100128182413.GI892@noncombatant.org>
	<20100128135410.7b6fe154.wmoran@collaborativefusion.com>
	<20100128193941.GK892@noncombatant.org>
	<20100128151026.5738b6c1.wmoran@collaborativefusion.com>
	<20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com>
	<alpine.BSF.2.00.1001281738110.43056@beast.int.bit0.com>
	<4B621EC5.3030400@obluda.cz>
Date: Mon, 01 Feb 2010 14:25:50 +0100
In-Reply-To: <4B621EC5.3030400@obluda.cz> (Dan Lukes's message of "Fri, 29 Jan
	2010 00:33:25 +0100")
Message-ID: <86sk9l5bq9.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: PHK's MD5 might not be slow enough anymore
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 13:25:51 -0000

Dan Lukes <dan@obluda.cz> writes:
> Mike Andrews <mandrews@bit0.com> writes:
> > There is probably a login.conf knob to raise the default number of
> > rounds beyond 2^4.
> No. The standard way of password change flow trough pam_unix.c.
>
> It call crypt(new_pass, salt) where salt is pseudo-random sequence. As
> such salt doesn't start with a magic, the default algorithm is
> selected. If it si blowfish, then crypt_blowfish(key, salt) is called.

Mike is mostly right and you are mostly wrong.  The default algorithm is
indeed controlled by login.conf and auth.conf, although there is no way
to specify the number of rounds.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no