Date: Thu, 29 Aug 1996 13:02:32 -0600 (MDT) From: Brandon Gillespie <brandon@tombstone.sunrem.com> To: Nate Williams <nate@mt.sri.com> Cc: hackers@freebsd.org Subject: Re: 'Backwards' DES support for crypt(), while still using better algo's Message-ID: <Pine.BSF.3.91.960829125653.17590A-100000@tombstone.sunrem.com> In-Reply-To: <199608291855.MAA07380@rocky.mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Aug 1996, Nate Williams wrote: > > I'm working on hacking SHA-1 encryption into passwords as '$2$' (suggested > > by Poul). One thought I had was on systems that have existing passwords > > with DES, where they may want to use better encryption but they dont > > because right now it is either all or nothing (? as far as I can tell). > > Or they use DES since they need it for interoperability with other OS's. > > > What would be nice is to have '$0$' be DES encryption, then we could still > > support better encryption while also staying functional with older > > passwords > > If I understand you correctly, this would mean that FreeBSD's > DES encrypted password would be different than any other OS's DES > encrypted password field. This is a bad thing IMHO, since a very common > question people ask is if FreeBSD's password field is sharable with > NetBSD/BSDi, OpenBSD, SunOS, etc.. > > If you install the secure dist (DES) converting to/from FreeBSD's format > is trivial, and by changing it you are asking for trouble. Sorry, I was not very clear :) What I'm suggesting is something different from the secure distribution which gives you 'DES capability' while still also having the capability of different encryption algorythms. It would do this with a DES version '$0$' which would hook the encryption into DES encrypt, where '$1$' would still hook into MD5 and '$2$' would hook into SHA-1 (my code for crypt hooks into MD5/SHA-1 already, based off which version you pass it in the salt), and not placing a version in the salt would hook into the 'default' that crypt is using. This leaves it up to crypt() to handle the default version, when newer and better algorythms are added--without having to change passwd and all other relevant programs. I converted a system from Linux to FreeBSD with a few hundred users; because I wanted to make the change a little problem as possible I just installed the secure dist, so everything uses DES now--but I would like passwords that are changed/updated to use a newer encryption (MD5 or SHA-1).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960829125653.17590A-100000>