Date: Tue, 06 Jul 1999 21:34:10 +0800 From: Peter Wemm <peter@netplex.com.au> To: Kris Kennaway <kkennawa@physics.adelaide.edu.au> Cc: security@freebsd.org Subject: Re: Improved libcrypt ready for testing Message-ID: <19990706133410.58E2B78@overcee.netplex.com.au> In-Reply-To: Your message of "Tue, 06 Jul 1999 22:30:21 %2B0930." <Pine.OSF.4.10.9907062220400.16135-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: [..] > In order to accomodate multiple algorithms better, the crypted passwords have > the format $token$hash$password where "token" is a string, not a numerical > identifier (i.e., '1' for current MD5 passwords, and "2a" for openbsd > blowfish > passwords). Using a numeric identifier is non-portable across vendors without > an assigning authority, and there's the possibility of collision should > another vendor choose the same number as us for a different algorithm (of > course, they could still choose an incompatible algorithm using MD5, etc, but > this is less likely). (Cisco seem to use either our (old) MD5 algorithm for > their routers, or one with the same form) I'd strongly suggest encoding the number of rounds as well, ie: $token$salt$rounds$password That way plain old crypt(3) can work without needing to dive off to /etc/login.conf.db. When passwd(1) generates the string it can set the number of rounds either from the count in login.conf, or perhaps some sort of time count. For example, suppose you specify that the root login is to have a minimum number of X rounds, and the has has to run for at least N seconds on this system. So, it could scale according to cpu speed. Also, I don't think using $2a$ for openbsd blowfish is a good idea - use $2$ directly since it's what they use. Ther is no need to be different for the sake of it. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990706133410.58E2B78>