From owner-freebsd-security Thu Jun 26 09:15:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA28304 for security-outgoing; Thu, 26 Jun 1997 09:15:42 -0700 (PDT) Received: from ice.cold.org (cold.org [206.81.134.103]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28297 for ; Thu, 26 Jun 1997 09:15:39 -0700 (PDT) Received: from localhost (brandon@localhost) by ice.cold.org (8.8.5/8.8.5) with SMTP id KAA09452; Thu, 26 Jun 1997 10:15:36 -0600 (MDT) Date: Thu, 26 Jun 1997 10:15:36 -0600 (MDT) From: Brandon Gillespie To: Nathan Dorfman cc: freebsd-security@FreeBSD.ORG Subject: Re: DES and IDEA In-Reply-To: <199706261508.LAA14025@limbo.senate.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 26 Jun 1997, Nathan Dorfman wrote: > Hello I have a question about FreeBSD's crypt(). If I installed DES > when I originally installed the system, does the crypt() use DES > by default? Is my password file DES or IDEA? Example: if I run Crack > will it use DES or IDEA? Thanks! yes, once you install DES it will use DES no matter what, unless you specify something else by passing crypt() a seed with the appropriate prefix. From the new crypt comments: /* // Assumptions made with the new crypt format ($xx$..$..), started // by Poul-Henning Kamp: // // + The version ($xx$) will be either a two to four alphanumeric // tag representing the encryption method, or a numeric version // (also representing the encryption method). $1$ is MD5, $2$ // is OpenBSD's Blowfish. Also known alphanumeric tags are: // MD5, SHA1 and BF--although Blowfish support is not integrated. // + If the new format $xx$.. is specified, but the tag is not // recognized, crypt() will default to the best method (currently // SHA-1). If new format is not specified, and DES is not // installed, the best method will also be used. However, if // DES is installed, and the new format is not specified, it // will use DES. // + passwords beginning with $xx$ always specify the new crypt format. // + Salt may not include '$' in it's character set--check for // this in code calling crypt, or it will truncate the salt. */ Along the same lines (this is not quite as relevant to your question) once this crypt() is integrated into the source tree, I also planned on submitting some changes to passwd to read a config file (such as /etc/passwd.conf) where it will get the default salt to use, so you can install DES on your system for old password, and set /etc/passwd.conf to use SHA1 encryption for any new crypt() calls, instead of defaulting to DES for everything. -Brandon Gillespie