From owner-freebsd-hackers  Mon Oct  2  7:34:51 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103])
	by hub.freebsd.org (Postfix) with ESMTP id DECDF37B503
	for <hackers@FreeBSD.ORG>; Mon,  2 Oct 2000 07:34:46 -0700 (PDT)
Received: from bagabeedaboo.security.at12.de (dial-213-168-73-43.netcologne.de [213.168.73.43])
	by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id QAA14897
	for <hackers@FreeBSD.ORG>; Mon, 2 Oct 2000 16:34:44 +0200 (MET DST)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
	by bagabeedaboo.security.at12.de (8.11.0/8.11.0) with ESMTP id e92EYbl00913
	for <hackers@FreeBSD.ORG>; Mon, 2 Oct 2000 16:34:37 +0200 (CEST)
	(envelope-from pherman@frenchfries.net)
Date: Mon, 2 Oct 2000 16:34:37 +0200 (CEST)
From: Paul Herman <pherman@frenchfries.net>
To: hackers@FreeBSD.ORG
Subject: Blowfish passwords
Message-ID: <Pine.BSF.4.21.0010021536360.278-100000@bagabeedaboo.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

I've come up with a small patchset to libcrypt (ported from OpenBSD)
which adds the blowfish password digest in addition to des and md5.  
Features include:

  * Compatibility with OpenBSD (for those of us using NIS)
  * switchable behavior in /etc/login.conf (passwd_format=bf)
  * ability to do multiple rounds on the fly, i.e. 2^x iterations 1<x<99
  * most importantly, this addition doesn't mess with the current
    default behavior of FreeBSD (MD5/DES)

One "feature" is that the salt generated by /usr/bin/passwd isn't long
enough, so the salt seems to just get padded with zeroes (I'll have to
look into this), but that is a passwd(1) thing, and the whole thing
still works.

In addidtion, you can still generate entries manualy and putting them
into /etc/master.passwd:

bash-2.03$ perl -e 'print crypt("123", "\$2a\$09\$thissaltisindeedlongenough"), "\n";'
$2a$09$thissaltisindeedlongeePn7z/hl0cWlo/alWEfzNAPg6E/22J.y

It patches cleanly against -STABLE and -CURRENT, and only touches
libcrypt.  Take a look at it, feedback/patches are welcome, and if you
like it, maybe someone can integrate it into -CURRENT.  (I don't know
whose dept. this would be -- Mark Murray perhaps? )

   http://www.frenchfries.net/paul/freebsd/blowfish.passwd.patch.gz

-Paul.

P.S. I didn't know where to put this, in lib/libcrypt or
secure/lib/libcrypt, but lib/libcrypt seemed the most logical...



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message