Date: Thu, 29 Feb 1996 01:53:39 GMT From: Adam David <adam@veda.is> To: mark@grondar.ZA (Mark Murray) Cc: freebsd-current@freebsd.org Subject: Re: New Dual-personality crypt Message-ID: <199602290153.BAA23248@veda.is> References: <199602250807.KAA20978@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
>Nate Williams wrote:
>> How can I force my passwords to be the old DES crypt function on a box
>> that previously used MD5 crypt? There are only two accounts on it (mine
>> and root), but I'd like it to use DES like all of the other machines in
>> the group.
>This was a design point that I could not quite decide on. I decided
>to go the route-of-least-change and keep the encryption algorithm that
>was used to make the entry in the first place.
>> Even after I've re-run passwd after installing the new libraries and
>> binaries, it's still generating MD5 passwords instead of DES passwords.
>I have been slowly getting round to putting a option in passwd(1)
>to allow the user to select the encryption algorithm, but I am not
>too sure how to deal with the case of the system without DES. I'm
>sure I can come up with something.
>> How do I force it to generate old-style DES passwords in spite of what
>> the old passwords were, short of removing the password completely and
>> then re-generating passwords? Shouldn't the new routine 'generate'
>> passwords using the default routines, but read passwords from both?
>See above. I'd greatly appreciate some input on this. I'm kinda
>prepared to go either way once I have some sort of idea what the
>group would prefer. In the meanwhile, it is unfortunately only
>possible to force DES by removing the old MD5 password.
The encryption methods and default behaviour are site-admin decisions.
Therefore it would be useful to see the following as possibilities:
Admins to specify which encrytion methods are available for passwords, and set
the default to one of { same_as_previous, DES, MD5, ...<other_methods>... }
If users are allowed to select which method, admins should be able to restrict
the choices to any subset of the methods recognised and handled by the site,
thus providing a means of transparent migration from one set of encryption
methods to another.
I understood the original dual-personality crypt announcement essentially to
mean the same as I have stated here, except with the enforcement of {DES, MD5}
as the available set, and that ordinary users would typically have no choice
over which method is used to generate the new password.
--
Adam David <adam@veda.is>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602290153.BAA23248>