Re: [PATCH] pw_encrypt: Add option to enable bcrypt support

Tue, 03 May 2022 06:47:33 -0700 

Am 03.05.22 um 14:23 schrieb Lauri Kasanen:

On Tue, 3 May 2022 13:58:44 +0200
Andreas Helmcke <[email protected]> wrote:



diff --git a/loginutils/Config.src b/loginutils/Config.src
index cbb09646b..cdcd7132f 100644
--- a/loginutils/Config.src
+++ b/loginutils/Config.src
@@ -91,6 +91,28 @@ config USE_BB_CRYPT_SHA
          With this option off, login will fail password check for any
          user which has password encrypted with these algorithms.

+config USE_BCRYPT
+       bool "Enable the bcrypt crypt function"
+       default n
+       depends on !USE_BB_CRYPT
+       help
+       Enable this if you have passwords starting with $2a$, $2y$ or
+       $2b$ in your /etc/passwd or /etc/shadow files. These passwords
+       are hashed using the bcrypt algorithm. Requires the use of a C
+       library that supports bcrypt.


The manpage says 2a is blowfish, which this patch wouldn't enable.


This is depends on the used library.
The patch has two parts:
1. allow the use of longer salt strings for the password functions (in libbb/pw_encrypt.c) 
2. enable the use of bcrypt in BusyBox passwd and chpasswd
Part 1 allows the use of any password hash algorithm, supported by the used libcrypt, for checking password hashes in the passwd (or shadow) file. As long as the starting part of the hash (tag and salt) is no longer than 31 bytes. 

Part 2 allows to generate bcrypt hashes with BusyBox password commands.

Maybe this would be a better and less confusing help text:

        Enable this if you use newer password hashes like bcrypt. E.g.
        if you have passwords starting with $2a$, $2y$ or $2b$ in your
        /etc/passwd or /etc/shadow files. Requires the use of a C
        library that supports these hashes.



I'd also like a compile-time check for the libc support, something like
#if GLIBC && GLIBC_VERSION < blah
#error Your libc doesn't support bcrypt
#endif


Would be nice, but i have no idea how to do this.
Your suggestions only covers glibc and in my case i use this patch together with libxcrypt, so this would not help there. 
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to