From owner-freebsd-security Tue Jul 6 6:34:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from overcee.netplex.com.au (overcee.netplex.com.au [202.12.86.7]) by hub.freebsd.org (Postfix) with ESMTP id 926C814F2B for ; Tue, 6 Jul 1999 06:34:11 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id 58E2B78; Tue, 6 Jul 1999 21:34:10 +0800 (WST) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.0.2 2/24/98 To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Improved libcrypt ready for testing In-reply-to: Your message of "Tue, 06 Jul 1999 22:30:21 +0930." Date: Tue, 06 Jul 1999 21:34:10 +0800 From: Peter Wemm Message-Id: <19990706133410.58E2B78@overcee.netplex.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: [..] > In order to accomodate multiple algorithms better, the crypted passwords have > the format $token$hash$password where "token" is a string, not a numerical > identifier (i.e., '1' for current MD5 passwords, and "2a" for openbsd > blowfish > passwords). Using a numeric identifier is non-portable across vendors without > an assigning authority, and there's the possibility of collision should > another vendor choose the same number as us for a different algorithm (of > course, they could still choose an incompatible algorithm using MD5, etc, but > this is less likely). (Cisco seem to use either our (old) MD5 algorithm for > their routers, or one with the same form) I'd strongly suggest encoding the number of rounds as well, ie: $token$salt$rounds$password That way plain old crypt(3) can work without needing to dive off to /etc/login.conf.db. When passwd(1) generates the string it can set the number of rounds either from the count in login.conf, or perhaps some sort of time count. For example, suppose you specify that the root login is to have a minimum number of X rounds, and the has has to run for at least N seconds on this system. So, it could scale according to cpu speed. Also, I don't think using $2a$ for openbsd blowfish is a good idea - use $2$ directly since it's what they use. Ther is no need to be different for the sake of it. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message