Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Aug 1996 15:26:42 -0600 (MDT)
From:      Nate Williams <nate@mt.sri.com>
To:        Brandon Gillespie <brandon@tombstone.sunrem.com>
Cc:        hackers@freebsd.org
Subject:   Re: 'Backwards' DES support for crypt(), while still using better , algo's
Message-ID:  <199608292126.PAA08439@rocky.mt.sri.com>
In-Reply-To: <Pine.BSF.3.91.960829141415.17864A-100000@tombstone.sunrem.com>
References:  <199608291906.NAA07417@rocky.mt.sri.com> <Pine.BSF.3.91.960829141415.17864A-100000@tombstone.sunrem.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > Sorry, I was not very clear :) What I'm suggesting is something different
> > > from the secure distribution which gives you 'DES capability' while still
> > > also having the capability of different encryption algorythms.  It would
> > > do this with a DES version '$0$' which would hook the encryption into DES
> > > encrypt, where '$1$' would still hook into MD5 and '$2$' would hook into
> > > SHA-1 (my code for crypt hooks into MD5/SHA-1 already, based off which
> > > version you pass it in the salt), and not placing a version in the salt
> > > would hook into the 'default' that crypt is using.  This leaves it up to
> > > crypt() to handle the default version, when newer and better algorythms
> > > are added--without having to change passwd and all other relevant
> > > programs. 
> > 
> > Except that this new password file is now FreeBSD-centric, and can't be
> > shared with any other system.  Simply adding a new 'token' for the SHA-1
> > stuff would be fine, but by changing what DES looks like is asking for
> > trouble.
> 
> The password file is already FreeBSD-centric, you cannot drop back to a 
> DES only (or Version 7) file with MD5/SHA passwords scattered through
> it.

This is a non-standard case.  Most folks have all of one or the other.

And, if you've got DES only passwords, you don't want them 'changed' to
have a token in them.  Special casing this is as much work as special
casing 'not' having the token there, so you aren't buying anything but
more work since all of the routines would have to see if it was a
'DES-only' password file and NOT prepend the token if so, else you can
prepend the token.

The current behavior of no-token == DES allows everything to work
normally.



Nate

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608292126.PAA08439>