Date: Tue, 21 Nov 2000 11:49:33 -0500 From: "Sean O'Connell" <sean@stat.Duke.EDU> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: FreeBSD stable <freebsd-stable@FreeBSD.ORG> Subject: Re: Hmm..passwords. Message-ID: <20001121114933.D27266@stat.Duke.EDU> In-Reply-To: <20001121082750.A2922@citusc17.usc.edu>; from kris@FreeBSD.ORG on Tue, Nov 21, 2000 at 08:27:50AM -0800 References: <20001121135541.A14220@nevermind.kiev.ua> <Pine.BSF.4.21.0011210704230.88234-100000@epsilon.lucida.ca> <20001121082750.A2922@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway stated:
: On Tue, Nov 21, 2000 at 07:09:57AM -0500, Matt Heckaman wrote:
: > On Tue, 21 Nov 2000, Nevermind wrote:
: > ...
: > : The same thing...
: > : Mabe the point is in DES/md5 passwords?
: >
: > FreeBSD has actually defaulted to MD5 passwords for quite a long time to
: > those of us not within the US. However, installing the US crypto has
: > always forced the usage of DES passwords by default. In order to switch
: > your machine back to DES passwords from MD5 passwords, this is what you
: > need to do:
:
: No longer correct. You don't need to futz with libraries and symlinks
: any more, only change the value of the passwd_format login capability
: in /etc/login.conf. The default is MD5 passwords for new accounts.
:
Kris-
This issue probably could stand a little more reinforcing (see below)
grep passwd_format /usr/src/UPDATING
Exit 1
However, this is very nicely spelled out in the
/usr/src/release/texts/ERRATA.TXT (I found this while composing the
email).
<snip from ERRATA.TXT>
---- System Update Information:
The system now defaults to using an MD5-based password scheme in all
cases rather than the less secure (but more interoperable) DES-based
password scheme. This was not documented well; to switch to DES
passwords, login.conf(5) must specify "passwd_format", eg:
default:\
:passwd_format=des:\
See the login.conf(5), yp(4), and login_cap(3) manpages for
documentation.
</snip from ERRATA.TXT>
Maybe we could add a
:password_format=md5:\
to the default entry or create a commented out des login
class like
#des_users:\
# :password_format=des:\
# :tc=default:
to clarify this a bit. I was surprised for a few minutes
but ended up just adding the following to default
:password_format=des:\
Also, as a side question, does passwd automagically stick to using
DES for NIS-enabled machines so it doesn't corrupt NIS maps on other
machines/os's? I suppose in a FreeBSD-only environment, this would
not be a problem, but I have a bunch of Digital Unix machines that
I have to support, as well.
Point of clarification: based on the ERRATA, should I add the
passwd_format=des to all my machines to preserve interoperablity?
Thanks
S
-----------------------------------------------------------------------
Sean O'Connell Email: sean@stat.Duke.EDU
Institute of Statistics and Decision Sciences Phone: (919) 684-5419
Duke University Fax: (919) 684-8594
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001121114933.D27266>