From owner-freebsd-security Wed Sep 25 15:26:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A44D137B401 for ; Wed, 25 Sep 2002 15:26:51 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5191243E7B for ; Wed, 25 Sep 2002 15:26:51 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g8PMQjLG063417 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 25 Sep 2002 15:26:46 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g8PMQjFM063416; Wed, 25 Sep 2002 15:26:45 -0700 (PDT) Date: Wed, 25 Sep 2002 15:26:45 -0700 From: Erick Mechler To: Nomad Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password encoding Message-ID: <20020925222645.GJ45330@techometer.net> References: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: So I made small investigation. And what I found: new auth_default value :: in my system is DES !!! And my password on new accounts are only 8 :: characters long !!! You're going to want to do 2 things. First, make sure that you have your passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb /etc/login.conf after you do so). Currently there's a bug with /usr/sbin/adduser which results in changed passwords defaulting to DES, despite whatever the system default password scheme is. /usr/sbin/pw and /usr/bin/passwd do not suffer from this problem. Bottom line: don't use adduser to set your passwords upon account creation, use the passwd utility or pw. This will insure that all your system passwords are created and stay MD5. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message