From owner-freebsd-stable Tue Nov 21 8:49:38 2000 Delivered-To: freebsd-stable@freebsd.org Received: from isds.duke.edu (davinci.isds.duke.edu [152.3.22.1]) by hub.freebsd.org (Postfix) with ESMTP id 5EC0737B4C5; Tue, 21 Nov 2000 08:49:34 -0800 (PST) Received: from feta.isds.duke.edu (feta.isds.duke.edu [152.3.22.76]) by isds.duke.edu (8.8.8/8.8.8) with ESMTP id LAA06317; Tue, 21 Nov 2000 11:49:33 -0500 (EST) Received: (from sto@localhost) by feta.isds.duke.edu (8.11.1/8.9.3) id eALGnXj27593; Tue, 21 Nov 2000 11:49:33 -0500 (EST) (envelope-from sto) Date: Tue, 21 Nov 2000 11:49:33 -0500 From: "Sean O'Connell" To: Kris Kennaway Cc: FreeBSD stable Subject: Re: Hmm..passwords. Message-ID: <20001121114933.D27266@stat.Duke.EDU> Reply-To: "Sean O'Connell" Mail-Followup-To: Sean O'Connell , Kris Kennaway , FreeBSD stable References: <20001121135541.A14220@nevermind.kiev.ua> <20001121082750.A2922@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001121082750.A2922@citusc17.usc.edu>; from kris@FreeBSD.ORG on Tue, Nov 21, 2000 at 08:27:50AM -0800 X-Organization: Institute of Statistics and Decision Sciences Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kris Kennaway stated: : On Tue, Nov 21, 2000 at 07:09:57AM -0500, Matt Heckaman wrote: : > On Tue, 21 Nov 2000, Nevermind wrote: : > ... : > : The same thing... : > : Mabe the point is in DES/md5 passwords? : > : > FreeBSD has actually defaulted to MD5 passwords for quite a long time to : > those of us not within the US. However, installing the US crypto has : > always forced the usage of DES passwords by default. In order to switch : > your machine back to DES passwords from MD5 passwords, this is what you : > need to do: : : No longer correct. You don't need to futz with libraries and symlinks : any more, only change the value of the passwd_format login capability : in /etc/login.conf. The default is MD5 passwords for new accounts. : Kris- This issue probably could stand a little more reinforcing (see below) grep passwd_format /usr/src/UPDATING Exit 1 However, this is very nicely spelled out in the /usr/src/release/texts/ERRATA.TXT (I found this while composing the email). ---- System Update Information: The system now defaults to using an MD5-based password scheme in all cases rather than the less secure (but more interoperable) DES-based password scheme. This was not documented well; to switch to DES passwords, login.conf(5) must specify "passwd_format", eg: default:\ :passwd_format=des:\ See the login.conf(5), yp(4), and login_cap(3) manpages for documentation. Maybe we could add a :password_format=md5:\ to the default entry or create a commented out des login class like #des_users:\ # :password_format=des:\ # :tc=default: to clarify this a bit. I was surprised for a few minutes but ended up just adding the following to default :password_format=des:\ Also, as a side question, does passwd automagically stick to using DES for NIS-enabled machines so it doesn't corrupt NIS maps on other machines/os's? I suppose in a FreeBSD-only environment, this would not be a problem, but I have a bunch of Digital Unix machines that I have to support, as well. Point of clarification: based on the ERRATA, should I add the passwd_format=des to all my machines to preserve interoperablity? Thanks S ----------------------------------------------------------------------- Sean O'Connell Email: sean@stat.Duke.EDU Institute of Statistics and Decision Sciences Phone: (919) 684-5419 Duke University Fax: (919) 684-8594 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message