Roman Morokutti wrote:
> Thank your for quick reply. It seems that
> CRYPT_ALGORITHMS_DEPRECATE=__unix__ must
> not be enabled as described in the link you sent,
> despite the comment in the policy.conf file suggests.
Do you have both CRYPT_ALGORITHMS_ALLOW and CRYPT_ALGORITHMS_DEPRECATE
set as well as CRYPT_DEFAULT ?
What values are they set to ?
The policy.conf(4) man page (but strangely not the policy.conf file
itselt) says:
Only one CRYPT_ALGORITHMS_ALLOW or
CRYPT_ALGORITHMS_DEPRECATE value can be specified. Whichever
is listed first in the file takes precedence. The algorithm
specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for
CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not speci-
fied, the default is __unix__.
> Do you have any experience with CRYPT_ALGORITHMS_DEPRECATE?
Well I wrote the code :-) so yes.
Set only one of _ALLOW or _DEPRECATE.
However that should have no effect on authentication as they variables
are only used by crypt_gensalt(3C) which is only used during password
change (usually via passwd(1) and the pam_authtok_store.so.1 module).
--
Darren J Moffat
