From owner-freebsd-stable Tue Oct 30 19:24:25 2001 Delivered-To: freebsd-stable@freebsd.org Received: from bastuba.partitur.se (bastuba.partitur.se [212.209.169.194]) by hub.freebsd.org (Postfix) with ESMTP id E610537B403 for ; Tue, 30 Oct 2001 19:24:20 -0800 (PST) Received: (from root@localhost) by bastuba.partitur.se (8.11.6/8.11.6) id f9V3OJH05445 for freebsd-stable@freebsd.org.AVP; Wed, 31 Oct 2001 04:24:19 +0100 (CET) (envelope-from girgen@partitur.se) Received: from elbas.partitur.se (elbas.partitur.se [212.209.169.222]) by bastuba.partitur.se (8.11.6/8.11.6) with ESMTP id f9V3OIo05421; Wed, 31 Oct 2001 04:24:18 +0100 (CET) (envelope-from girgen@partitur.se) Received: (from girgen@localhost) by elbas.partitur.se (8.11.6/8.11.6) id f9V3OIi09397; Wed, 31 Oct 2001 04:24:18 +0100 (CET) (envelope-from girgen) Date: Wed, 31 Oct 2001 04:24:18 +0100 (CET) Message-Id: <200110310324.f9V3OIi09397@elbas.partitur.se> From: Palle Girgensohn To: freebsd-stable@freebsd.org Cc: dd@freebsd.org Subject: mixed crypt_formats fails on 4.4 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! I have an apache passwd db-file where I have traditionally used md5 encrypted passwords (by symlink in /usr/lib/libcrypt.so -> libscrypt.so). After upgrading the system to 4.4-release, I did not immediately notice the /etc/auth.conf file, and so the default was reset to DES for a while. Two weeks later, I realized my mistake and set the crypt_default property in auth.conf to md5. About 300, about 2% of the users, got their passwords in DES after this time (users can change and create accounts using different methods, servlets, cgi progs, command line...) After that, I have got complaints that some people can't login. Of course, these people all have DES encrypted passwords. I did some research, and here is what I found out: in 4.4, libcrypt.so can properly authenticate users with des or md5 encrypted passwords using crypt-des.c, (i.e. crypt_format=des), but not when crypt_format is md5. in <= 4.3, I used libscrypt (combined with NODESCRYPTLINKS=true in make.conf, and symlinks from libcrypt* -> libscrypt* in /usr/lib). The effect was md5 as default crypt format, and the possibilty to verify both des and md5. Better put: verifies passwords in < 4.4 4.4 \ crypt_default: des des des&md5 md5 des&md5 md5 in short, I need to set /etc/auth.conf to des in order to verify both des & md5, where I previously had the opposite effect. Is there anyway I can force the 4.3 behaviour cleanly. Is it supposed to work like this? I will have to modify all our applications setting passwords to use set_crypt_format("md5") instead of using the fine auth.conf... :( Thanks for any input! /Palle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message