Date: Tue, 16 May 2000 15:05:33 -0400 (EDT) From: Kenneth W Cochran <kwc@world.std.com> To: "Chris D. Faulhaber" <jedgar@fxp.org> Cc: freebsd-stable@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Password scheme preservation/setting in 4.0-s Message-ID: <200005161905.PAA24096@world.std.com>
next in thread | raw e-mail | index | archive | help
>From jedgar@fxp.org Tue May 16 08:51:37 2000
>Date: Tue, 16 May 2000 08:50:22 -0400 (EDT)
>Subject: Re: Password scheme preservation/setting in 4.0-s
>
>On Mon, 15 May 2000, Kenneth W Cochran wrote:
>> >From owner-freebsd-stable@FreeBSD.ORG Mon May 15 22:04:26 2000
>> >Date: Mon, 15 May 2000 22:01:58 -0400 (EDT)
>> >From: "Chris D. Faulhaber" <jedgar@fxp.org>
>> >Subject: Re: Password scheme preservation/setting in 4.0-s
>> >
>> >On Mon, 15 May 2000, Kenneth W Cochran wrote:
>> >>
>> >> Is there a way to preserve the password "scheme" (MD5 vs DES)
>> >> across buildworld/installworld in 4.0-STABLE?
>> >>
>> >> It appears that perhaps installworld re-set the symlinks on the
>> >> crypto runtime libraries to DES even though I "manually" set
>> >> them to MD5.
>> >
>> >See /etc/default/make.conf, in particular:
>> >
>> >#NODESCRYPTLINKS=true # do not replace libcrypt -> libscrypt links
So, it appears that I must un-comment this line, but what if
un-comment it & change its "value" to "false" (or something
else, perhaps something silly)? I have a "hunch" it doesn't
care, as long as the "value" is non-null; looks like I need to
do some more "research..." :)
>> Cool, thanks; I thought I'd looked there... (Seems like I
>> looked everyplace else... :)
>>
>> What effect does this have on {build,install}world?
>>
>> For example, does this "force" the *crypt links to *scrypt or
>> does it just "leave things as they are," whatever they might be?
>
>Yes, it forces the links to libscrypt* instead of libdescrypt*
>
>> How does this "#define" relate to previous versions of FreeBSD
>> if we didn't install the DES crypto distribution? With 4.x, I
>> have to install the crypto to get OpenSSH & that sets things up
>> to use DES instead of MD5. I've previously written that it
>> would be nice if we could select crypto using MD5... :)
>>
>> My "guess" is that the default sysinstall sets up the links into
>> libscrypt* & if DES is "selected" then the links get set to the
>> libdescrypt* libraries.
>
>I don't quite understand the question. You are correct in that
>the DES dist. is required for the crypto in 4.x, which sets up
>the libcrypt links to libdescrypt*. And yes, it would be nice
>to have the ability to select the default crypto mechanism
>(patches are gladly accepted).
I'd be delighted to, but I don't know how. Yet. I'd welcome
pointers on how to do this (ie. a place to RTFM... :).
There are a few other places I'd like to do this, too...
>> Hmmm... Does that mean that make "tests" someplace for
>> existence of the DES libraries & handles this automagically?
>
>Yep, from /usr/src/Makefile.inc1:
>
>.if exists(${.CURDIR}/secure) && !defined(NOCRYPT) && !defined(NOSECURE)
>SUBDIR+= secure
>.endif
>
>among other places.
Hey, thanks! This is an example of something I'd like to see
better documented, but I bet it changes frequently. I might be
willing to write some doc myself, but as yet I don't know enough
about the insides of this to do so... <sigh...>
>-----
>Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
>--------------------------------------------------------
>FreeBSD: The Power To Serve - http://www.FreeBSD.org
-kc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005161905.PAA24096>