On 2014-03-07 17:06, Xin Li wrote: > Hi, > > On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote: >> Allan Jude wrote: >>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote: >>>> Allan Jude wrote: >>>> >>>> [...] >>>> >>>>> Honestly, my use case is just silently upgrading the strength >>>>> of the hashing algorithm (when combined with my other feature >>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$ >>>>> or something. Same applies for the default sha512, maybe I >>>>> want to update to rounds=15000 >>>> >>>> Like this? >>>> >>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518 >>>> >>>> Request for comments: >>>> >>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903 >>>> >>> >>> This looks like what we wanted. In the feedback you talked about >>> some changes to your patch required to make it work, is there any >>> progress on those? > >> Derek's patches worked perfectly for our needs, but we're the sort >> of people who use vipw and our own utilities for user management. >> It wasn't until later that we discovered at least one other file >> would need patching to satisfy everyone. We didn't want to employ >> the same copy-pasta method, so we asked for feedback about our >> proposed alternative. > >> secteam@, do you have any comments? Before we put any more work >> into this, we want to be sure that our proposal is an acceptable >> one. > > > Did you mean adding rounds capability, or transparent upgrade of > crypt() algorithms, or both?
There are 2 separate but related threads 1) specify rounds for crypt() 2) transparent upgrade of crypt() algo (or more likely just number of rounds) > > I need some time to digest the whole transparent upgrade idea but in > general I think it's good. > > Speaking for adding rounds, the only problem that needs to be fixed is > that the proposed patch makes it possible to create conflicting > configuration (passwd_format and passwd_modular can use different > hashing algorithms) and need to be fixed and polished. I like the > idea of making it possible to use more rounds though. > > Cheers, > -- Allan Jude
Description: OpenPGP digital signature