On Wed, Oct 14, 2015 at 08:51:06AM -0600, Theo de Raadt wrote: > > I just found out that ypcipher=old is no longer supported in login.conf. > > That is correct. > > We have deprecated and removed the legacy ciphers. Passing such simple > hashes over ethernet in 2015 is not best practice. > > > Since I have a mixed platform lab network using YP (FreeBSD servers) I am > > curious if anyone has some experience of how portable blowfish is as a > > cipher for YP passwords. > > Don't know if they are compatible. Blowfish itself has had a few > generations. There was the original in 2001 or so, soon followed by a > fix in 2002(?). Then a few years ago a Linux version of blowfish was > found to have a bug in rare configurations, but to keep everyone safe > we all adopted some small changes and made a newer version -- $2b$
I made some tests. A $2b$ password generated on OpenBSD 5.8 works for FreeBSD 10.1, but not for SLES 10 nor Ubuntu 14.04. > > > FreeBSD man pages say that they support it. I also have lots of old and new > > linux clients and just a few OpenBSD clients in the network. Linux as usual > > shines being badly documented so I can not find out if any of those support > > blowfish. Therefore I ask this list if anyone knows about this? > > > > Are there more password ciphers planned for the future e.g sha256 and > > sha512? > > No, we will not be adding those. > > Those simple hashes do not provide the future-proof, high-cost-to-crack > features of bcrypt, which has made it successful as industry staple. > The dumb hashes even arrived years after bcrypt, seems likely the result > of choosing ideas "not invented by openbsd" Ouch! And I have not seen any other upcoming ciphers mentioned. These seem to be state of the art in the Linux world :/ > > > Do you have any other tips on how to handle logins in a mixed OS YP network? > > These days, I would recommend using YP in fewer places. I wrote the > code, but even I don't use it. Each time I make changes that need testing > in a YP environment, my test group has shrunk again... I guess I will have to look into LDAP, then. Thank you for your clear answers! -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
