From owner-freebsd-security  Mon Sep 18  0:22:52 2000
Delivered-To: freebsd-security@freebsd.org
Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9A78F37B424; Mon, 18 Sep 2000 00:22:47 -0700 (PDT)
Received: from localhost (yurtesen@localhost)
	by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id KAA31024;
	Mon, 18 Sep 2000 10:24:58 +0300 (EEST)
	(envelope-from yurtesen@ispro.net.tr)
Date: Mon, 18 Sep 2000 10:24:58 +0300 (EEST)
From: Evren Yurtesen <yurtesen@ispro.net.tr>
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: "Vladimir B. Grebenschikov" <vova@express.ru>,
	freebsd-security@FreeBSD.ORG, Brian Feldman <green@FreeBSD.ORG>
Subject: Re: MD5 passwords vs DES
In-Reply-To: <Pine.BSF.4.21.0009172309080.66732-100000@freefall.freebsd.org>
Message-ID: <Pine.BSF.4.21.0009181017590.26927-100000@finland.ispro.net.tr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you dont mind the side effects you can try to compile passwd and perl
with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to
/usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you
use libscrypt in your passwd and perl programs the passwords these
programs generate will be MD5 by default. The side effect of this is that
your users cant change their own passwords if their old password is DES
since libscrypt doesnt understand DES and if you have perl scripts which
does similar action they may fail. But adduser is a perl script itself so
it would generate MD5 passwords automaticly when you add a new user.
For passwd program its simple in its makefile just change -lcrypt lines
with /usr/lib/libscrypt.a this should do the job I am not sure about perl.

Is this a good "temporary" solution for you?

On Sun, 17 Sep 2000, Kris Kennaway wrote:

> On Mon, 18 Sep 2000, Vladimir B. Grebenschikov wrote:
> 
> > 
> > I have a question: 
> > 
> >   Do anybody have ideas to add 'default crypting mode' for utilities
> > like passwd, adduser, etc ?
> > 
> > I am not very happy to add new user with adduser, then to edit manualy
> > /etc/passwd adding $1$xxx$xx to password, then lanch passwd to change
> > password for user. In a reality passwd uses old password as salt for
> > new password, but if there was no old password or it was '*' - new
> > password is crypted with DES :(
> 
> Brian Feldman wrote code in -current which fixes this by using a login
> capability to specify which format to use for new passwords.
> 
> I'm trying to get him to merge it back to -stable in time for
> 4.1.1. Brian, whats the latest?
> 
> Kris
> 
> --
> In God we Trust -- all others must submit an X.509 certificate.
>     -- Charles Forsythe <forsythe@alum.mit.edu>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message