From owner-freebsd-security Sun Oct 1 14:33:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D474937B503; Sun, 1 Oct 2000 14:33:25 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id OAA49537; Sun, 1 Oct 2000 14:33:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) Date: Sun, 1 Oct 2000 14:33:25 -0700 From: Kris Kennaway To: achilov@granch.ru Cc: "Vladimir B. Grebenschikov" , freebsd-security@FreeBSD.ORG Subject: Re: MD5 passwords vs DES Message-ID: <20001001143325.A44714@freefall.freebsd.org> References: <14789.42660.401430.305445@vbook.express.ru> <39D79CF0.D794F732@sentry.granch.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39D79CF0.D794F732@sentry.granch.ru>; from shelton@sentry.granch.ru on Mon, Oct 02, 2000 at 03:22:08AM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 02, 2000 at 03:22:08AM +0700, Rashid N. Achilov wrote: > "Vladimir B. Grebenschikov" wrote: > > > > I have a question: > > > > Do anybody have ideas to add 'default crypting mode' for utilities > > like passwd, adduser, etc ? > > > > Manually change for all users passwords to MD5, than simply edit symlink > libcrypt.so.2 (I assume 4.1-RELEASE) to point to a libscrypt.so.2 and > libcrypt.a to point to a libscrypt.a. Now you can't use DES passwords > until revert back links, but all created users now will have MD5-crypted > passwords This is no longer true as of 4.1.1-RELEASE, although it wasn't documented there. Basically, you control which form users in a particular login class get with the passwd_format login capability, which takes values of "des" or "md5". This is documented in login_cap(5) in recent 4.1.1-STABLE, and I think Brian was going to add an erratum about it. Of course, you still need to install des-capable libraries to enable des passwords (as before), but it won't magically change the default password format. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message