James Carlson wrote: > Gary Winiger writes: >> Hummm, does the installer now use PAM here? I don't recall. >> It used to use a private implementation of "unix" crypt. I >> believe it now at least uses crypt(3C). In terms of password >> strength, it might be nice to have the installer ask about parameters >> as well as algorithm, then sites could choose and not have to >> configure post CD install. For jumpstart, it probably doesn't >> matter. > > No more baffling three-headed-dog install questions, please. If we've > got a best practice for algorithms (sha256?), then make that the > default, and require the use of some sort of "expert mode" to allow > bit-fiddling. >
No worries, somebody would have to make a convincing case that there is absolutely no way that we can set a reasonably secure password without asking for algorithms and other parameters before they'd get into the common interface. I don't consider that a likely outcome. Whether there'll be an advanced interface for pieces like this is an unresolved issue - the question is whether there's sufficient need beyond the pre-configuration that's possible with something like sysidcfg(4) to justify the effort. To answer some of the earlier discussion in the thread, sysidtool (where the root password setting is done) uses a basic crypt_gensalt()/crypt() sequence at present. As we'll be replacing that implementation, we'll have some discussion with the experts on whether there's a better solution. Dave
