From owner-freebsd-security  Tue Apr 21 16:47:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA22400
          for freebsd-security-outgoing; Tue, 21 Apr 1998 16:47:04 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA22395
          for <freebsd-security@freebsd.org>; Tue, 21 Apr 1998 23:46:59 GMT
          (envelope-from softweyr@xmission.xmission.com)
Received: (from softweyr@localhost) by xmission.xmission.com (8.8.8/8.7.5) id RAA24929; Tue, 21 Apr 1998 17:46:38 -0600 (MDT)
From: Wes Peters - Softweyr LLC <softweyr@xmission.com>
Message-Id: <199804212346.RAA24929@xmission.xmission.com>
Subject: Re: md5, des, et al.
To: jaitken@dimension.net
Date: Tue, 21 Apr 1998 17:46:37 -0600 (MDT)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <199804211812.OAA27421@gizmo.dimension.net> from "Jeff Aitken" at Apr 21, 98 02:12:49 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

> A recent poster (sorry, I deleted the message, so I don't remember
> who) said something about using dlopen() and friends (we'll assume
> for argument's sake that that will work flawlessly).  
> 
> However, doesn't any solution involving shared {libraries,object code}
> merely solve half of the problem?  Suppose you have md5.so, des.so,
> blowfish.so, and foobar.so.  Obviously, you can now decrypt
> passwords encrypted with DES, MD5, etc.  However, when a user
> changes his or her password, which scheme is used to generate the
> new password?

Simple.  If a user wants to change her password, use the same
encryption method currently used on her password.  The difficulty
starts when you're creating a new password.  By default, use the
encryption method suggested in /etc/login.conf (or /etc/passwd.conf if
you wish).  It would also be necessary to extend passwd with an option
to specify the encryption to use, for creating new accounts and for
changing the encryption format (if allowed by
/etc/{passwd,login}.conf).

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message