From owner-freebsd-security Mon Sep 18 12:24:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id E9FCD37B423 for ; Mon, 18 Sep 2000 12:24:03 -0700 (PDT) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id WAA51101; Mon, 18 Sep 2000 22:26:02 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Mon, 18 Sep 2000 22:26:02 +0300 (EEST) From: Evren Yurtesen To: David Pick Cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 passwords vs DES In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Sep 2000, David Pick wrote: > > If you dont mind the side effects you can try to compile passwd and perl > > with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to > > /usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you > > use libscrypt in your passwd and perl programs the passwords these > > programs generate will be MD5 by default. The side effect of this is that > > your users cant change their own passwords if their old password is DES > > since libscrypt doesnt understand DES and if you have perl scripts which > > does similar action they may fail. But adduser is a perl script itself so > > it would generate MD5 passwords automaticly when you add a new user. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > For passwd program its simple in its makefile just change -lcrypt lines > > with /usr/lib/libscrypt.a this should do the job I am not sure about perl. > > > > Is this a good "temporary" solution for you? > > I don't recompile anything, I just redirect the symbolic links > libcrypt* -> libdescript* > to become > libcrypt* -> libscrypt* > in /usr/lib/ > > I actually do this during system installation before creating any users so > the only DES password is the "root" password. "root" can, of course, reset > this (getting a MD5 pasword) without having anything checked against the > DES password (because it's "root" doing it). > > -- > David Pick But in your solution you expect all the passwords to be MD5 passwords because libscrypt doesnt understand from DES. If you just recompile the passwd and perl and leave the libcrypt* -> libdescrypt you can have a hybrid passwd file with MD5 and DES entries plus your new users and the users which you changed their passwords would have MD5 passwords and in time when you have all users passwords as MD5 then you can change the links from libdescrypt* to libscrypt* Otherwise your users with DES passwords cant login when you have libcrypt linked to libscrypt. My solution was for people who wants to migrate to MD5 passwords slowly. Evren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message