Date: Fri, 07 Mar 2014 17:53:21 -0500 From: Allan Jude <freebsd@allanjude.com> To: d@delphij.net, nanoman@nanoman.ca, secteam@FreeBSD.org Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, freebsd-current@freebsd.org Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <531A4DE1.3070507@allanjude.com> In-Reply-To: <531A42F3.5020207@delphij.net> References: <2167732.JmQmEPMV2N@desktop.reztek> <201403070913.30359.jhb@freebsd.org> <5319DE84.3040602@allanjude.com> <20140307161313.GA49137@nanocomputer.nanoman.ca> <531A2CC1.8080802@allanjude.com> <20140307215223.GB49137@nanocomputer.nanoman.ca> <531A42F3.5020207@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-03-07 17:06, Xin Li wrote: > Hi, >=20 > On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote: >> Allan Jude wrote: >>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote: >>>> Allan Jude wrote: >>>> >>>> [...] >>>> >>>>> Honestly, my use case is just silently upgrading the strength >>>>> of the hashing algorithm (when combined with my other feature >>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$ >>>>> or something. Same applies for the default sha512, maybe I >>>>> want to update to rounds=3D15000 >>>> >>>> Like this? >>>> >>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D182518 >>>> >>>> Request for comments: >>>> >>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903 >>>> >>> >>> This looks like what we wanted. In the feedback you talked about >>> some changes to your patch required to make it work, is there any >>> progress on those? >=20 >> Derek's patches worked perfectly for our needs, but we're the sort >> of people who use vipw and our own utilities for user management. >> It wasn't until later that we discovered at least one other file >> would need patching to satisfy everyone. We didn't want to employ >> the same copy-pasta method, so we asked for feedback about our >> proposed alternative. >=20 >> secteam@, do you have any comments? Before we put any more work >> into this, we want to be sure that our proposal is an acceptable >> one. >=20 >=20 > Did you mean adding rounds capability, or transparent upgrade of > crypt() algorithms, or both? There are 2 separate but related threads 1) specify rounds for crypt() 2) transparent upgrade of crypt() algo (or more likely just number of rounds) >=20 > I need some time to digest the whole transparent upgrade idea but in > general I think it's good. >=20 > Speaking for adding rounds, the only problem that needs to be fixed is > that the proposed patch makes it possible to create conflicting > configuration (passwd_format and passwd_modular can use different > hashing algorithms) and need to be fixed and polished. I like the > idea of making it possible to use more rounds though. >=20 > Cheers, >=20 --=20 Allan Jude --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTGk3hAAoJEJrBFpNRJZKfNiYP/0LZM+JWtdLr5ORh7aXXP5L0 olojR8v9O5JgSAZ5LT90WQ4H/tIeJLcmltrW6lr1+oHWegxdq1sMo1vJo9yePUUR 8UeZ6tVtjdblu9IFoeKZwb1RMsKyJcOfUojWZgKyVStxGIZ248/rL4zqaUA+Zujh wT4jSC9nZx88wzy2IbLL0vR7VPG7bkxnUtiUstIB/ENDZbkjz1ynKX3hx+rNfpuI fMUMpREnZ+oxU4vB9/pwPytB3krFkPNpcrClqWWEWI9Wphw3Lqr1pvJsYYZ4l8XU PcLf7D6ir52U+RAmACIU0LtAgy59mecbtkj24hsfS6ywDMbqubc2SG078AUxWFwz Djxrk+DuBUZUYlBgRohY2MgvyszN+adzUpwNzWXNb1eRpDKQVoXuBF1cSzZ/Z8HA RRGXzWQaKF+ka29cEIRcSXcC/Bi27BPaWBqxr9fLIQJ5QXJNccbUbftCQUpyUGuL AtCymZW64jKoMdctOHTP3EU4kBCEeUl4O5azVqULpyGvalas0MUDd1E4PJ1ohwkP AJ2u0b6lvjNTlqB4KDb2msmaZmvPAVCKZVRqIHQjLVcsA42sfVOtkDfn0jYH2NUU wbOE5AYgKb3q8YztDwShE9fDVo7HvtRzp62AKnjZq9yNZzfpiP3ey1dE7+A1Hg1D No7/IdZH94KVC0HcEXcW =WKjN -----END PGP SIGNATURE----- --kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531A4DE1.3070507>