Date: Fri, 07 Mar 2014 14:06:43 -0800 From: Xin Li <delphij@delphij.net> To: nanoman@nanoman.ca, Allan Jude <freebsd@allanjude.com>, secteam@FreeBSD.org Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, freebsd-current@freebsd.org Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <531A42F3.5020207@delphij.net> In-Reply-To: <20140307215223.GB49137@nanocomputer.nanoman.ca> References: <2167732.JmQmEPMV2N@desktop.reztek> <201403070913.30359.jhb@freebsd.org> <5319DE84.3040602@allanjude.com> <20140307161313.GA49137@nanocomputer.nanoman.ca> <531A2CC1.8080802@allanjude.com> <20140307215223.GB49137@nanocomputer.nanoman.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote: > Allan Jude wrote: >> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote: >>> Allan Jude wrote: >>> >>> [...] >>> >>>> Honestly, my use case is just silently upgrading the strength >>>> of the hashing algorithm (when combined with my other feature >>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$ >>>> or something. Same applies for the default sha512, maybe I >>>> want to update to rounds=15000 >>> >>> Like this? >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518 >>> >>> Request for comments: >>> >>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903 >>> >> >> This looks like what we wanted. In the feedback you talked about >> some changes to your patch required to make it work, is there any >> progress on those? > > Derek's patches worked perfectly for our needs, but we're the sort > of people who use vipw and our own utilities for user management. > It wasn't until later that we discovered at least one other file > would need patching to satisfy everyone. We didn't want to employ > the same copy-pasta method, so we asked for feedback about our > proposed alternative. > > secteam@, do you have any comments? Before we put any more work > into this, we want to be sure that our proposal is an acceptable > one. > Did you mean adding rounds capability, or transparent upgrade of crypt() algorithms, or both? I need some time to digest the whole transparent upgrade idea but in general I think it's good. Speaking for adding rounds, the only problem that needs to be fixed is that the proposed patch makes it possible to create conflicting configuration (passwd_format and passwd_modular can use different hashing algorithms) and need to be fixed and polished. I like the idea of making it possible to use more rounds though. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTGkLzAAoJEJW2GBstM+nsaVoP/017iARGzd++lCsfqyFDozGk nXJjatlrIcRjrbCmVRT0lsHiK/hoYJ4zZPeOu8EXU1Qs0/wggGHYePX7+zEVob2S YCxhqUOdG/jqrHnH8bljzWE/OtI7Y4PvFOLpsWkOE/uulssQfGDMSy8WJzFriqzv GXjAEyFrGXCT29gW6ozTRfDfPSOfd4MhwewbMYAUykSqucMfkG4FaDAgLxv/XdRi YmLQZuxxTzEqMYanZGq/0e5CvOwOuncd0aVxncJC8ZRcsHs5cqbzcyDkkRwvw/YU g1OsLXiO08zej0rOz1E4pud8O6q3unG5dNcz9Y96oNo0fJONMrk9IetCUCHBsR8N eyWJQyHL7wwwNlC5k8U9cOnsL3zxBv54N6bfWuWNNDpJmNrvgMr9LdPso+AX0gLD y4RhVJeLCQbLrkQawoM1+Ki5N0mQibk9BBGXH/ZPScP1pNqVt9tqXp94N5ZPLV54 Uu4cn/2uKjtTjl76YFlCTvfwwiuWgds1k6CnKZIW8luOp4cG5XOoOSztONqWr6S/ yd7SLDV4f8PC7Fi1iSkSuVW5MYz1I7RRVR1Z27oV3e3UwXwIgqRjHJawNZqIgVe1 4lk84+fm75ULLfiA6bgkMCjylyWHCzrdOQt/Zx+0vyZOer5x2p4gZmnYAyV2EQIP TM611j1UES6OUGFkfbWa =4Qur -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531A42F3.5020207>