Date: Fri, 14 Oct 2005 13:17:09 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: babkin@users.sf.net Cc: freebsd-hackers@freebsd.org, iwan@staff.usd.ac.id Subject: Re: Re: system password's file Message-ID: <20051014131206.M22507@fledge.watson.org> In-Reply-To: <21965586.1129290866618.JavaMail.root@vms071.mailsrvcs.net> References: <21965586.1129290866618.JavaMail.root@vms071.mailsrvcs.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Oct 2005, Sergey Babkin wrote:
>> The main man page you want to look at is passwd(5), which documents the
>> formats of the /etc/master.passwd and /etc/passwd file. In FreeBSD,
>> the master.passwd file is the equivilent of the shadow file in Linux.
>> What you want to do is convert the Linux password files to the
>> master.passwd file in FreeBSD, and then run
>
> Historically the problem has been that FreeBSD used its own MD5
> algorithm for encrypting the passwords which was incompatible with any
> other Unix, so just copying the password field to FreeBSD did not work.
> I don't know if it's fixed now or not. The reason for that was in the US
> cryptography export regulations, and those have been improved in the
> last few years. In any case, even if it's not directly supported then
> probably a PAM module can still be written.
>
> Hm, considering the we'd like people to migrate from Linux to FreeBSD,
> having such a conversion script/program (especially if someone writes it
> for their own use anyway) in the base system would make a lot of sense.
As far as I know, we've been able to read the DES hashes without a problem
as long as the right optional crypto bits were installed. Sometime in the
4.x series, the optional crypto bits become less optional, in that because
of changes in patents and export policy, integrating them tightly became a
more possible. These days, the DES bits are installed by default, and so
portable DES hashes should "just work".
However, we do write them out in the MD5 hash still by default, so the
problem is not getting to a recent FreeBSD, but to switch away later
should that be desirable. There's a login.conf entry you can use to
specify a preference for what hash to use when writing out a new entry,
and this is trivially changeable:
:passwd_format=md5:
If you are running in a multi-OS environment using shared password
database entries, such as NIS, you will want to set the default to DES if
other systems don't support the md5 scheme (which is supported on an
increasing number of other systems), in order that password changes on a
FreeBSD system don't leave you unable to log into other systems.
Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051014131206.M22507>