From owner-freebsd-hackers Sat Sep 30 7:50:54 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2A80B37B502 for ; Sat, 30 Sep 2000 07:50:52 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA40690; Sat, 30 Sep 2000 10:49:33 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 30 Sep 2000 10:49:32 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: jack Cc: hackers@FreeBSD.ORG Subject: Re: stuck on MD5 passwd's, host to revert to DES In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 29 Sep 2000, jack wrote: > On Sep 28 Kris Kennaway wrote: > > > On Thu, 28 Sep 2000, Jim Mercer wrote: > > > > > the reason i ask, is that if people cvsup without seeing or noticing this, > > > they may not realize until too late that the new passwords are md5. > > > > > > anyone using nis with non-freebsd systems might get really upset. > > > > It should have been documented. It still can be :-) > > A change of this magnitude to default system behavior should have > been preceded by a HEADS UP to the stable list, IMO. Would have > save me several hours of aggravation. As someone who works in an environment where NIS is widely used with non-FreeBSD systems, I would comment that the current defaults (at least, change in them) are a disaster, especially given that they weren't documented. It was confusing enough before when I had to make sure (by phone, mind you) that people installed the DES support to get NIS to work. Now the defaults have magically switched, and in a way that wasn't documented. Joy. Maybe we should update ERRATA or the release notes for 4.1.1-RELEASE to make sure it's in there, and send out a formal note to -stable and possibly -announce. While I fortunately heard about this here first, I would frankly hate to have spent hours and hours remotely debugging a change that could potentially make it difficult for people to log in, and then propagated MD5 passwords into a DES password environment. The benefit of the old behavior was that, for FreeBSD to work in a mixed environment with NIS, DES had to be installed, meaning that DES would be the default for passwords. This was an implicit effect of allowing portable use of NIS. I wonder if there would be any way to force users of NIS to submit passwords using DES by default? The current framework doesn't seem to support or encourage that in a way that can be "default" and yet safe for normal use. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message