Feature Proposal: Transparent upgrade of crypt() algorithms
A.J. Kehoe IV (Nanoman)
nanoman at nanoman.ca
Fri Mar 7 22:50:53 UTC 2014
Xin Li wrote:
>Hi,
>
>On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote:
>> Allan Jude wrote:
>>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote:
>>>> Allan Jude wrote:
>>>>
>>>> [...]
>>>>
>>>>> Honestly, my use case is just silently upgrading the strength
>>>>> of the hashing algorithm (when combined with my other feature
>>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$
>>>>> or something. Same applies for the default sha512, maybe I
>>>>> want to update to rounds=15000
>>>>
>>>> Like this?
>>>>
>>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518
>>>>
>>>> Request for comments:
>>>>
>>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903
[...]
>Speaking for adding rounds, the only problem that needs to be fixed is
>that the proposed patch makes it possible to create conflicting
>configuration (passwd_format and passwd_modular can use different
>hashing algorithms) and need to be fixed and polished. I like the
>idea of making it possible to use more rounds though.
This was deliberate for backward compatibility. passwd_format will be used by default if passwd_modular isn't defined. If passwd_modular is defined as "disabled", then passwd_format will be used.
What do you think of the idea of putting this into libcrypt instead of pam_unix.c, and then patching pam_unix.c and pw_user.c to reference libcrypt?
--
A.J. Kehoe IV (Nanoman) | /"\ ASCII Ribbon Campaign
Nanoman's Company | \ / - No HTML/RTF in E-mail
E-mail: nanoman at nanoman.ca | X - No proprietary attachments
WWW: http://www.nanoman.ca/ | / \ - Respect for open standards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3924 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140307/126faad7/attachment.bin>
More information about the freebsd-current
mailing list