From owner-freebsd-current@FreeBSD.ORG Fri Mar 7 22:53:22 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5BEA95A0; Fri, 7 Mar 2014 22:53:22 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 1ADA89A9; Fri, 7 Mar 2014 22:53:21 +0000 (UTC) Received: from [10.1.1.1] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allan.jude@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 8A8F864176; Fri, 7 Mar 2014 22:53:20 +0000 (UTC) Message-ID: <531A4DE1.3070507@allanjude.com> Date: Fri, 07 Mar 2014 17:53:21 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: d@delphij.net, nanoman@nanoman.ca, secteam@FreeBSD.org Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms References: <2167732.JmQmEPMV2N@desktop.reztek> <201403070913.30359.jhb@freebsd.org> <5319DE84.3040602@allanjude.com> <20140307161313.GA49137@nanocomputer.nanoman.ca> <531A2CC1.8080802@allanjude.com> <20140307215223.GB49137@nanocomputer.nanoman.ca> <531A42F3.5020207@delphij.net> In-Reply-To: <531A42F3.5020207@delphij.net> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT" Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 22:53:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-03-07 17:06, Xin Li wrote: > Hi, >=20 > On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote: >> Allan Jude wrote: >>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote: >>>> Allan Jude wrote: >>>> >>>> [...] >>>> >>>>> Honestly, my use case is just silently upgrading the strength >>>>> of the hashing algorithm (when combined with my other feature >>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$ >>>>> or something. Same applies for the default sha512, maybe I >>>>> want to update to rounds=3D15000 >>>> >>>> Like this? >>>> >>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D182518 >>>> >>>> Request for comments: >>>> >>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903 >>>> >>> >>> This looks like what we wanted. In the feedback you talked about >>> some changes to your patch required to make it work, is there any >>> progress on those? >=20 >> Derek's patches worked perfectly for our needs, but we're the sort >> of people who use vipw and our own utilities for user management. >> It wasn't until later that we discovered at least one other file >> would need patching to satisfy everyone. We didn't want to employ >> the same copy-pasta method, so we asked for feedback about our >> proposed alternative. >=20 >> secteam@, do you have any comments? Before we put any more work >> into this, we want to be sure that our proposal is an acceptable >> one. >=20 >=20 > Did you mean adding rounds capability, or transparent upgrade of > crypt() algorithms, or both? There are 2 separate but related threads 1) specify rounds for crypt() 2) transparent upgrade of crypt() algo (or more likely just number of rounds) >=20 > I need some time to digest the whole transparent upgrade idea but in > general I think it's good. >=20 > Speaking for adding rounds, the only problem that needs to be fixed is > that the proposed patch makes it possible to create conflicting > configuration (passwd_format and passwd_modular can use different > hashing algorithms) and need to be fixed and polished. I like the > idea of making it possible to use more rounds though. >=20 > Cheers, >=20 --=20 Allan Jude --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTGk3hAAoJEJrBFpNRJZKfNiYP/0LZM+JWtdLr5ORh7aXXP5L0 olojR8v9O5JgSAZ5LT90WQ4H/tIeJLcmltrW6lr1+oHWegxdq1sMo1vJo9yePUUR 8UeZ6tVtjdblu9IFoeKZwb1RMsKyJcOfUojWZgKyVStxGIZ248/rL4zqaUA+Zujh wT4jSC9nZx88wzy2IbLL0vR7VPG7bkxnUtiUstIB/ENDZbkjz1ynKX3hx+rNfpuI fMUMpREnZ+oxU4vB9/pwPytB3krFkPNpcrClqWWEWI9Wphw3Lqr1pvJsYYZ4l8XU PcLf7D6ir52U+RAmACIU0LtAgy59mecbtkj24hsfS6ywDMbqubc2SG078AUxWFwz Djxrk+DuBUZUYlBgRohY2MgvyszN+adzUpwNzWXNb1eRpDKQVoXuBF1cSzZ/Z8HA RRGXzWQaKF+ka29cEIRcSXcC/Bi27BPaWBqxr9fLIQJ5QXJNccbUbftCQUpyUGuL AtCymZW64jKoMdctOHTP3EU4kBCEeUl4O5azVqULpyGvalas0MUDd1E4PJ1ohwkP AJ2u0b6lvjNTlqB4KDb2msmaZmvPAVCKZVRqIHQjLVcsA42sfVOtkDfn0jYH2NUU wbOE5AYgKb3q8YztDwShE9fDVo7HvtRzp62AKnjZq9yNZzfpiP3ey1dE7+A1Hg1D No7/IdZH94KVC0HcEXcW =WKjN -----END PGP SIGNATURE----- --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT--