From owner-freebsd-stable Tue Nov 21 17:47:19 2000 Delivered-To: freebsd-stable@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 7653537B479; Tue, 21 Nov 2000 17:47:14 -0800 (PST) Received: from localhost (cewqv5@localhost [127.0.0.1]) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id eAM1lQ562481; Tue, 21 Nov 2000 20:47:28 -0500 (EST) (envelope-from green@FreeBSD.org) Message-Id: <200011220147.eAM1lQ562481@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: stable@FreeBSD.org Cc: "Sean O'Connell" , FreeBSD stable Subject: Re: Hmm..passwords. In-Reply-To: Message from "David O'Brien" of "Tue, 21 Nov 2000 15:31:12 PST." <20001121153112.B1910@dragon.nuxi.com> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 21 Nov 2000 20:47:25 -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "David O'Brien" wrote: > On Tue, Nov 21, 2000 at 08:55:51AM -0800, Kris Kennaway wrote: > > > Point of clarification: based on the ERRATA, should I add the > > > passwd_format=des to all my machines to preserve interoperablity? > > > > If you want the same NIS password map to be used on "legacy" UNIXes > > which don't talk MD5 they have to be DES passwords. Standalone > > machines should be MD5 for greater security. > > When Kris and I discussed this functionality (before Brian went and did > it); we talked about much higher granularity than Brian implemented: > > MD5 everywhere > DES everywhere > MD5 locally / DES yp How would this work? It would be nearly impossible to do in a reasonable way, as it appears to me. > Convert to MD5 > Convert to DES These are policies for applications including pw(8), passwd(1), etc. Personally, if anything I believe there should be a default (like in login.conf) and then a per-application override (like pw.conf). I don't really see how PAM enters into this part... > > Maybe in the future we'll get this level granularity. Or maybe this > should have been folded into PAM (which really feels orphaned in FreeBSD > and very few know the vision for PAM w/in FreeBSD). That doesn't actually address applications being able to use crypt(3) for either MD5 or DES though. Personally, I want to be able to make everything possible MD5 that is not required for interoperability, but use a strong hash otherwise; MD5 is a much more reasonable default because it is so much harder to crack than DES. Each app should be able to use crypt() but configure its behavior. At least this really does belong outside of PAM. > -- > -- David (obrien@FreeBSD.org) > GNU is Not Unix / Linux Is Not UniX > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message