On Sun, Jan 20, 2002 at 20:17:21 +0000, Mark Murray wrote:
> Hmm. OK. Do you understand, though, why the salt does not need
> cryptographic randomness?


> Another patch of yours replaced sprintf with a faster strlcpy,
> but this uses the _much_ slower arc4random() which is not
> necessary IMO. How about just using pid's or something?

1) arc4random() is not slower than random(), so it not _increase_ 
existent PAM slowness.
2) I care here not about PAM, but about user application which RNG state 
current code damages.
3) I treat arc4random() replacement as bugfix for _application_ which not 
makes PAM code worse than it already is.

> The original crypt(3) salt quantised the time-of-day into
> 4096 pieces for the salt - how about doing something like
> that? UUEncode time()|pid()|getuid() might work just fine.

I agree. But I don't plan to improve PAM in this my fix, I just want to 
unbreak application first. Someone else can do what you suggest 

Andrey A. Chernov

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to