From owner-freebsd-stable  Sun Apr 23 20:15: 1 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9B85137B718; Sun, 23 Apr 2000 20:14:58 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA74464;
	Sun, 23 Apr 2000 20:14:59 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Sun, 23 Apr 2000 20:14:58 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Jarrod <jarrod@lost.net.au>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: CRYPO dist installed outside US
In-Reply-To: <Pine.LNX.4.10.10004241226410.5254-100000@marbles.lost.net.au>
Message-ID: <Pine.BSF.4.21.0004232010480.73288-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 24 Apr 2000, Jarrod wrote:

> Short of reinstalling the system and adding the accounts again, how can I
> remove the crypo dist which shouldn't on there and bring the system back
> to the same passwd format our other FreeBSD (3.4-STABLE though) servers
> are using.  Or is a full reinstallation required?

All you need to do is point the /usr/lib/libcrypt.* symlinks at
/usr/lib/libscrypt.* instead of /usr/lib/libdescrypt.* where they are now.

i.e. boot single-user, remove the symlinks, and recreate them with ln -s

Then reset any passwords which were created in DES format using 'passwd'.
Now your system will be MD5 ("$1$....") only again.

> Are there any penalties or legal issues using crypto in Australia?  I'm
> not quite sure of why its a big deal during installation.

You're quite allowed to use it :) In fact it's a good thing to install the
crypto dist: you now have SSH support almost out of the box [*]. The only
downsides are:

1) DES passwords get automatically selected, and DES passwords suck
(relatively speaking)
2) You're using the semi-crippled US version of OpenSSL, instead of the
better international version. See [*]

[*] See http://www.freebsd.org/handbook/openssl.html

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message