Date: Mon, 01 Jun 1998 21:57:29 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Eivind Eklund <eivind@yes.no>, "J.A. Terranson" <sysadmin@mfn.org>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Re: MD5 v. DES? Message-ID: <5630.896731049@critter.freebsd.dk> In-Reply-To: Your message of "Mon, 01 Jun 1998 15:47:38 EDT." <Pine.BSF.3.96.980601154152.4784E-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.96.980601154152.4784E-100000@fledge.watson.org>, Robert
Watson writes:
>> I have been considering if we shouldn't introduce a
>>
>> int checkuserpassword(char *user, char *password);
>>
>> in some library, rather than having all these programs know that
>> you should strcmp after calling crypt(). This would allow us to
>> do what you propose or RADIUS authentication for that matter...
>
>I personally dislike this idea -- where does this leave one-time-password
>users, etc?
Perfectly safe as always. All it does is to make sure that you don't have
to modify, ftpd, telnetd, login, popper, and uhm... what is the last one,
I keep forgetting, Hmm.....
Basically what I'm saying is that if all the places which have to
authenticate a user, had a call where they could say:
"Is password <foo> acceptable for user <bar> in context <program>"
Then you can implement this function whichever way you want, rather than
have to modify twenty-odd programs which all do the
wp = getpwbyname(...);
getpassword(buffer);
if (strcmp(pw->pw_passwd, crypt(pw->pw_password, buffer))) {
sorry...
}
--
Poul-Henning Kamp FreeBSD coreteam member
phk@FreeBSD.ORG "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5630.896731049>