Date: Sat, 30 Sep 2000 10:49:32 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: jack <jack@germanium.xtalwind.net> Cc: hackers@FreeBSD.ORG Subject: Re: stuck on MD5 passwd's, host to revert to DES Message-ID: <Pine.NEB.3.96L.1000930104341.40031E-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.21.0009290023040.34524-100000@germanium.xtalwind.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 29 Sep 2000, jack wrote: > On Sep 28 Kris Kennaway wrote: > > > On Thu, 28 Sep 2000, Jim Mercer wrote: > > > > > the reason i ask, is that if people cvsup without seeing or noticing this, > > > they may not realize until too late that the new passwords are md5. > > > > > > anyone using nis with non-freebsd systems might get really upset. > > > > It should have been documented. It still can be :-) > > A change of this magnitude to default system behavior should have > been preceded by a HEADS UP to the stable list, IMO. Would have > save me several hours of aggravation. As someone who works in an environment where NIS is widely used with non-FreeBSD systems, I would comment that the current defaults (at least, change in them) are a disaster, especially given that they weren't documented. It was confusing enough before when I had to make sure (by phone, mind you) that people installed the DES support to get NIS to work. Now the defaults have magically switched, and in a way that wasn't documented. Joy. Maybe we should update ERRATA or the release notes for 4.1.1-RELEASE to make sure it's in there, and send out a formal note to -stable and possibly -announce. While I fortunately heard about this here first, I would frankly hate to have spent hours and hours remotely debugging a change that could potentially make it difficult for people to log in, and then propagated MD5 passwords into a DES password environment. The benefit of the old behavior was that, for FreeBSD to work in a mixed environment with NIS, DES had to be installed, meaning that DES would be the default for passwords. This was an implicit effect of allowing portable use of NIS. I wonder if there would be any way to force users of NIS to submit passwords using DES by default? The current framework doesn't seem to support or encourage that in a way that can be "default" and yet safe for normal use. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000930104341.40031E-100000>