Date: Fri, 29 Sep 2000 19:24:04 -0400 From: "Brian F. Feldman" <green@FreeBSD.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: Jim Mercer <jim@reptiles.org>, hackers@FreeBSD.org, Brian Feldman <green@FreeBSD.org> Subject: Re: stuck on MD5 passwd's, host to revert to DES Message-ID: <200009292324.e8TNO5515121@green.dyndns.org> In-Reply-To: Message from Kris Kennaway <kris@FreeBSD.org> of "Thu, 28 Sep 2000 21:01:03 PDT." <Pine.BSF.4.21.0009282059430.63209-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, 28 Sep 2000, Jim Mercer wrote: > > > On Thu, Sep 28, 2000 at 06:14:07PM -0700, Kris Kennaway wrote: > > > Set the value of the passwd_format login capability to "des" in > > > /etc/login.conf. > > > > > > Brian Feldman neglected to document or mention this in the release notes > > > at all, as far as I can tell. No cookie! Please fix this ASAP, Brian. > > I didn't document it in login.conf(5) -- that was an oversight. I'll add that in a bit (soon). I documented it in login_cap(3), so the programmers know about it but not the sysadmins :( > > so, is the intention to have FreeBSD default to md5? > > Yes. It's the more secure alternative and is quite suitable for most > users. All the rest of you need to do is add the 'des' login capability in > the default class. > > > the reason i ask, is that if people cvsup without seeing or noticing this, > > they may not realize until too late that the new passwords are md5. > > > > anyone using nis with non-freebsd systems might get really upset. > > It should have been documented. It still can be :-) Agreed. It will work by default if FreeBSD systems are doing the yppasswdd, otherwise you'll probably get locked out of changing your password (because the remote yppasswdd must verify your old passwd, but then the new password probably won't have the same kinds of checks against it). Actually, you'd probably not be able to log in. This just needs to be documented; a FreeBSD system previously had to be manually set to use the DES libcrypt, but it would default the other way if the "secure" distribution was installed. Now it just needs a different change, and a bit of an easier one. > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe <forsythe@alum.mit.edu> > > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009292324.e8TNO5515121>