From owner-freebsd-doc Sun Nov 11 6:10:13 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 79DEB37B417 for ; Sun, 11 Nov 2001 06:10:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fABEA3N07972; Sun, 11 Nov 2001 06:10:03 -0800 (PST) (envelope-from gnats) Date: Sun, 11 Nov 2001 06:10:03 -0800 (PST) Message-Id: <200111111410.fABEA3N07972@freefall.freebsd.org> To: freebsd-doc@freebsd.org Cc: From: Martin Heinen Subject: Re: docs/31899: Markup changes for chapter Security Reply-To: Martin Heinen Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR docs/31899; it has been noted by GNATS. From: Martin Heinen To: Tom Hukins Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: docs/31899: Markup changes for chapter Security Date: Sun, 11 Nov 2001 15:06:54 +0100 --5G06lTa6Jq83wMTw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Nov 10, 2001 at 05:27:14PM +0000, Tom Hukins wrote: > On Sat, Nov 10, 2001 at 03:19:43PM +0100, Martin Heinen wrote: > > If you have installed the DES-capable crypt library > > - libdescrypt (e.g. by installing the > > - "crypto" distribution), then which password format will be used > > - for new passwords is controlled by the > > - passwd_format login capability in > > - /etc/login.conf, which takes values of > > - either des or md5. See the > > - &man.login.conf.5; manual page for more information about login > > - capabilities. > > Rather than fixing this by modifying the quotes, shouldn't this be > totally updated? We don't have a "crypto" distribution any more, so we > should specify what happens by default and explain how to change it. second uups, in the future I will read the relase notes more thoroughly. The attached diff reformulates the section, but I'm not sure if I got this right, especially I don't know when /etc/auth.conf is used. Maybe someone else can shed more light on this. Should I open a new PR for this issue? Martin -- Marxpitn --5G06lTa6Jq83wMTw Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sec.auth.diff" Index: chapter.sgml =================================================================== RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.96 diff -u -r1.96 chapter.sgml --- chapter.sgml 2001/10/29 11:02:50 1.96 +++ chapter.sgml 2001/11/11 13:33:53 @@ -978,50 +978,35 @@ Recognizing Your Crypt Mechanism + Before FreeBSD 4.4 libcrypt.a was a + symbolic link pointing to the library which was used for + encryption. FreeBSD 4.4 changed libcrypt.a to + provide a configurable password authentication hash library. + Currently the library supports DES, MD5 and Blowfish hash + functions. By default FreeBSD uses MD5 to encrypt + passwords. + It is pretty easy to identify which encryption method FreeBSD is set up to use. Examining the encrypted passwords in the /etc/master.passwd file is one way. Passwords encrypted with the MD5 hash are longer than those encrypted with the DES hash and also begin with the characters - $1$. DES password strings do not + $1$. Passwords starting with + $2$ are encrypted with the + Blowfish hash function. DES password strings do not have any particular identifying characteristics, but they are shorter than MD5 passwords, and are coded in a 64-character alphabet which does not include the $ character, so a relatively short string which does not begin with a dollar sign is very likely a DES password. - - The libraries can identify the passwords this way as well. - As a result, the DES libraries are able to identify MD5 - passwords, and use MD5 to check passwords that were encrypted - that way, and DES for the rest. They are able to do this - because the DES libraries also contain MD5. Unfortunately, the - reverse is not true, so the MD5 libraries cannot authenticate - passwords that were encrypted with DES. - - Identifying which library is being used by the programs on - your system is easy as well. Any program that uses crypt is linked - against libcrypt, which for each type of library is a symbolic link - to the appropriate implementation. For example, on a system using - the DES versions: - - &prompt.user; ls -l /usr/lib/libcrypt* -lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a -lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0 -lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.a - On a system using the MD5-based libraries, the same links will - be present, but the target will be libscrypt - rather than libdescrypt. + Which password format will be used for new passwords is + controlled by the passwd_format login capability in + /etc/login.conf, which takes values of + des or md5 or blf. + See the &man.login.conf.5; manual page for more information about + login capabilities. - If you have installed the DES-capable crypt library - libdescrypt (e.g. by installing the - "crypto" distribution), then which password format will be used - for new passwords is controlled by the - passwd_format login capability in - /etc/login.conf, which takes values of - either des or md5. See the - &man.login.conf.5; manual page for more information about login - capabilities. --5G06lTa6Jq83wMTw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message