From owner-freebsd-hackers Wed Nov 22 2:14:31 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 17DE237B4CF; Wed, 22 Nov 2000 02:14:29 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAMAFeY04338; Wed, 22 Nov 2000 02:15:40 -0800 (PST) (envelope-from kris) Date: Wed, 22 Nov 2000 02:15:39 -0800 From: Kris Kennaway To: hackers@FreeBSD.ORG Cc: "Sean O'Connell" , green@FreeBSD.ORG Subject: PAM and passwords (Re: Hmm..passwords.) Message-ID: <20001122021539.C4078@citusc17.usc.edu> References: <20001121135541.A14220@nevermind.kiev.ua> <20001121082750.A2922@citusc17.usc.edu> <20001121114933.D27266@stat.Duke.EDU> <20001121085551.A3534@citusc17.usc.edu> <20001121153112.B1910@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001121153112.B1910@dragon.nuxi.com>; from obrien@FreeBSD.ORG on Tue, Nov 21, 2000 at 03:31:12PM -0800 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 21, 2000 at 03:31:12PM -0800, David O'Brien wrote: > When Kris and I discussed this functionality (before Brian went and did > it); we talked about much higher granularity than Brian implemented: >=20 > MD5 everywhere > DES everywhere > MD5 locally / DES yp > Convert to MD5 > Convert to DES Only these last two are candidates for PAM. PAM (specifically pam_unix) doesn't and shouldn't care what crypt() does and what the algorithm it chooses to use is called, it just treats the strings as opaque data which are compared to the master.passwd records. The latter two in your list could be implemented by a "recrypt" function in a pam "password" module, which a) verifies the presented password, and b) generates a new password hash with the same plaintext, which is written out. This would have the effect that the new password would be whichever format is the current passwd_format for that user's login class, so you can transparently migrate users from one algorithm to another without having to expire passwords or mess with them by hand. You likely wouldn't want this to happen every time a user logs in, so there'd have to be some other condition which triggers it for a given account. Kris --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjobnMoACgkQWry0BWjoQKVQuQCdF/GfekP7jnciyb6IbfNP3jNr QgUAniDGKk8rmNrKLNNvPTt7gzZXAI8P =2+gg -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message