From owner-freebsd-stable  Wed Aug  9 11:55:38 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.altadena.net (ns.altadena.net [206.126.144.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 381A537BEEE; Wed,  9 Aug 2000 11:55:28 -0700 (PDT)
	(envelope-from pete@ns.altadena.net)
Received: (from pete@localhost)
	by ns.altadena.net (8.9.3/8.8.8) id LAA02796;
	Wed, 9 Aug 2000 11:55:22 -0700 (PDT)
	(envelope-from pete)
From: Pete Carah <pete@ns.altadena.net>
Message-Id: <200008091855.LAA02796@ns.altadena.net>
Subject: Re: crypt(3) problems
In-Reply-To: <Pine.BSF.4.21.0008081839450.16224-100000@green.dyndns.org> from
 Brian Fundakowski Feldman at "Aug 8, 2000 06:42:52 pm"
To: Brian Fundakowski Feldman <green@FreeBSD.org>
Date: Wed, 9 Aug 2000 11:55:22 -0700 (PDT)
Cc: current@FreeBSD.org, stable@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL68 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=iso8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> We should switch to using just libdescrypt and being allowed to switch
> crypt formats easily between md5 and des.  My proposed solution using
> login.conf is at http://people.FreeBSD.org/~green/crypt_switching.patch,
> and it's going to be put into production usage relatively soon (that is,
> whether or not it's actually in FreeBSD).

As long as things get switched around so that the format decision is 
external to libdescrypt and the existing password, so we can change an existing
des passwd to md5.  However, in our case, apache still needs to
generate des but *all* other uses want md5.  The link choice is the
easiest way to select this, with environment next.  Config files won't
really work since they can't anticipate all uses.

The full-blown pam implementations do it with pam parameters; login.conf
is fine but won't work for "third-party" situations like I was commenting
on (i.e. apache needs to accept and generate des but most other need 
md5, etc etc)...  Perhaps an environment variable?

libdescrypt is close since it will accept either; a fixed choice for
what it generates, external to *any* application code (e.g. environment 
vars (easiest) or (if possible) config files that are somehow *completely* 
universal (I don't see how to do this without application mods unless the 
library can transparently get at argv[0] independently of what the app does 
like ++argv, etc)) would be nice.

-- Pete


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message