From owner-freebsd-security@FreeBSD.ORG Mon Jun 11 14:12:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D365106564A for ; Mon, 11 Jun 2012 14:12:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id F29218FC08 for ; Mon, 11 Jun 2012 14:12:08 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id q5BEC6eD023345; Mon, 11 Jun 2012 10:12:07 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4FD5FCB3.80000@sentex.net> Date: Mon, 11 Jun 2012 10:12:03 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net> <86ipeyp73q.fsf@ds4.des.no> <4FD5CF47.7070800@sentex.net> <867gvene35.fsf@ds4.des.no> In-Reply-To: <867gvene35.fsf@ds4.des.no> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 14:12:09 -0000 On 6/11/2012 10:00 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> Dag-Erling Smørgrav writes: >>> Mike Tancsa writes: >>>> Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its >>>> currently not there. >>> "not there" as in "not supported by crypt(3)"? >> If you put in sha256|sha512 in passwd_format, the passwd that gets >> chosen is DES, as in Data Encryption Standard, not Dag-Erling Smørgrav >> ;-) > > This is non-trivial to fix, as the code that would need to be MFCed > depends on libc changes. I'm worried about collateral damage from > MFCing those changes. > > It may be possible to backport the sha2 code. Locally, we still have a need to share some passwd files between a couple of RELENG_8 and RELENG_7 boxes. But it might be better to just upgrade the new boxes to 8 if need be. If not, is Blowfish as its currently implemented on RELENG_7 considered strong enough ? There has been some discussion suggesting its not and some that it is. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/