On Wed, 9 Aug 2000, Pete Carah wrote:

> > We should switch to using just libdescrypt and being allowed to switch
> > crypt formats easily between md5 and des.  My proposed solution using
> > login.conf is at http://people.FreeBSD.org/~green/crypt_switching.patch,
> > and it's going to be put into production usage relatively soon (that is,
> > whether or not it's actually in FreeBSD).
> As long as things get switched around so that the format decision is 
> external to libdescrypt and the existing password, so we can change an existing
> des passwd to md5.  However, in our case, apache still needs to
> generate des but *all* other uses want md5.  The link choice is the
> easiest way to select this, with environment next.  Config files won't
> really work since they can't anticipate all uses.

Well, first of all assume that by default DES-based scheme is what
crypt() uses.

> The full-blown pam implementations do it with pam parameters; login.conf
> is fine but won't work for "third-party" situations like I was commenting
> on (i.e. apache needs to accept and generate des but most other need 
> md5, etc etc)...  Perhaps an environment variable?

PAM still needs support from the crypt() library.  There's not going to
be a way to do it without a proper interface to the crypt library :-/
Right now there is
int crypt_set_format(const char *format);

This wouldn't be thread-safe to change formats, but crypt() isn't thread
safe in the slightest bit anyway, by design.

> libdescrypt is close since it will accept either; a fixed choice for
> what it generates, external to *any* application code (e.g. environment 
> vars (easiest) or (if possible) config files that are somehow *completely* 
> universal (I don't see how to do this without application mods unless the 
> library can transparently get at argv[0] independently of what the app does 
> like ++argv, etc)) would be nice.

You really cannot do this properly.  It's best just to do what it takes
to get the right format on a given platform.  On FreeBSD now, that's use
libdescrypt and crypt() with a normal salt, or to get MD5 use a salt
with the "$1$" format.  On FreeBSD with the changes I have, you call
e.g. crypt_set_format("md5") and then crypt() with a generic salt.

> -- Pete

 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 [EMAIL PROTECTED]                    `------------------------------'

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to