From owner-freebsd-security  Wed Apr 22 14:05:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA26233
          for freebsd-security-outgoing; Wed, 22 Apr 1998 14:05:37 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.129.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26027
          for <freebsd-security@freebsd.org>; Wed, 22 Apr 1998 21:05:08 GMT
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id XAA04942;
	Wed, 22 Apr 1998 23:02:09 +0200 (CEST)
To: Mark Murray <mark@grondar.za>
cc: "Matthew N. Dodd" <winter@jurai.net>, Nate Williams <nate@mt.sri.com>,
        Peter Wemm <peter@netplex.com.au>, freebsd-security@FreeBSD.ORG
Subject: Re: Static vs. dynamic linking (was Re: Using MD5 insted of DES ...) 
In-reply-to: Your message of "Wed, 22 Apr 1998 22:24:24 +0200."
             <199804222024.WAA00701@greenpeace.grondar.za> 
Date: Wed, 22 Apr 1998 23:02:09 +0200
Message-ID: <4940.893278929@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

In message <199804222024.WAA00701@greenpeace.grondar.za>, Mark Murray writes:
>Poul-Henning Kamp wrote:
>> What about the root password prompt in /sbin/init ?
>> 
>> That is the only really troublesome case...
>
>Of the very lively dialog that thas passsed on this subject the last 
>couple of days, the most useable solution seems to be (in the case of 
>apps in /(s)bin that may need alternative crypts) is to link them using 
>the normal dynamic flags, except to force them to use the static 
>libraries. This way will get a useable dlopen, and will allow the app to 
>function as required, and will not break the rest of the world with a 
>dynamic /(s)bin/*. The apps can then use a (say) cryptdes.so if it 
>exists.
>
>Is my summary OK?

Yes, I think we just need to see some code.

What about the SHS ($2$) suport for crypt() should we sneak that in
at the same time ?

Did we also agree that login.conf can specify which encryption to 
use along these lines:

	modify existing password:
		entry in login.conf ?
			yes: use what login.conf says
			no: use same as existing password.

	create new password:
		entry in login.conf ?
			yes: use what login.conf says
			no: use same as current root password

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message