From owner-freebsd-security@FreeBSD.ORG  Thu Jan  8 23:02:48 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 952ED106566C
	for <freebsd-security@freebsd.org>;
	Thu,  8 Jan 2009 23:02:47 +0000 (UTC)
	(envelope-from ohartman@mail.zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
	[130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 4E6428FC14
	for <freebsd-security@freebsd.org>;
	Thu,  8 Jan 2009 23:02:47 +0000 (UTC)
	(envelope-from ohartman@mail.zedat.fu-berlin.de)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
	by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1LL3tm-0005DO-1X>; Fri, 09 Jan 2009 00:02:46 +0100
Received: from e178036186.adsl.alicedsl.de ([85.178.36.186]
	helo=thor.walstatt.dyndns.org)
	by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1LL3tl-0004kf-Uu>; Fri, 09 Jan 2009 00:02:46 +0100
Message-ID: <49668643.7050507@mail.zedat.fu-berlin.de>
Date: Fri, 09 Jan 2009 00:03:31 +0100
From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de>
User-Agent: Thunderbird 2.0.0.19 (X11/20090103)
MIME-Version: 1.0
To: Mike Tancsa <mike@sentex.net>
References: <495FDC97.4090301@mail.zedat.fu-berlin.de>
	<200901040346.n043kRCJ000646@lava.sentex.ca>
In-Reply-To: <200901040346.n043kRCJ000646@lava.sentex.ca>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Originating-IP: 85.178.36.186
X-Mailman-Approved-At: Thu, 08 Jan 2009 23:22:31 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: MD5 vs. SHA1 hashed passwords in /etc/master.passwd: can  we
 configure SHA1 in /etc/login.conf?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2009 23:02:48 -0000

Mike Tancsa wrote:
> At 04:45 PM 1/3/2009, O. Hartmann wrote:
>
>> followed by a obligatory "cap_mkdb" seems to do something - changing
>> root's password results in different hashes when selecting different
>> hash algorithms like des, md5, sha1, blf or even sha256.
>>
>> Well, I never digged deep enough into the source code to reveal the
>> magic and truth, so I will ask here for some help. Is it possible to
>> change the md5-algorithm by default towards sha1 as recommended after
>> the md5-collisions has been published?
>
> Are you sure sha1 is supported ? It looks like if you put in something
> not understood in the login.conf file, it defaults to what appears to
> be DES.
>
>         ---Mike
>
>> Thanks in advance,
>> Oliver

Yes, you're absolutely right, I figured this also out after I tried evey
possible hashing alogrithmen mentioned in the manpage. I use 'blf' now.

Regards,
Oliver