On 2014-03-07 17:06, Xin Li wrote:
> Hi,
> On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote:
>> Allan Jude wrote:
>>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote:
>>>> Allan Jude wrote:
>>>> [...]
>>>>> Honestly, my use case is just silently upgrading the strength
>>>>> of the hashing algorithm (when combined with my other feature
>>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$
>>>>> or something. Same applies for the default sha512, maybe I
>>>>> want to update to rounds=15000
>>>> Like this?
>>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518
>>>> Request for comments:
>>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903
>>> This looks like what we wanted. In the feedback you talked about
>>> some changes to your patch required to make it work, is there any
>>> progress on those?
>> Derek's patches worked perfectly for our needs, but we're the sort
>> of people who use vipw and our own utilities for user management.
>> It wasn't until later that we discovered at least one other file
>> would need patching to satisfy everyone.  We didn't want to employ
>> the same copy-pasta method, so we asked for feedback about our
>> proposed alternative.
>> secteam@, do you have any comments?  Before we put any more work
>> into this, we want to be sure that our proposal is an acceptable
>> one.
> Did you mean adding rounds capability, or transparent upgrade of
> crypt() algorithms, or both?

There are 2 separate but related threads

1) specify rounds for crypt()

2) transparent upgrade of crypt() algo (or more likely just number of

> I need some time to digest the whole transparent upgrade idea but in
> general I think it's good.
> Speaking for adding rounds, the only problem that needs to be fixed is
> that the proposed patch makes it possible to create conflicting
> configuration (passwd_format and passwd_modular can use different
> hashing algorithms) and need to be fixed and polished.  I like the
> idea of making it possible to use more rounds though.
> Cheers,

Allan Jude

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to