Hello all,
At Armaghan's request I am forwarding, verbatim, an email to him and his
reply. Those of you using FreeBSD as your platform might find it
beneficial. (I intend to work a bit more on this to see just what files
affect ledger123 logins and at what level of the system this affect
takes place: OS or application, but only when I have time.)
N.B. I am a home user, not a business entity. My setup is simple, yours
might not be. You're on your own.
hth,
r
--- Begin Message ---
Hi Reed,
Thanks a lot for your email.
Could you kindly send it to [email protected] so that it
can benefit those people who are using FreeBSD.
Thanks again and my best regards.
Armaghan
--
http://www.ledger123.com/
On Sun, Sep 26, 2010 at 3:17 PM, Reed Loefgren
<[email protected]> wrote:
> Armaghan,
>
> Today, because I just learned how to do it, I changed my FreeBSD systems so
> that they would use blowfish encryption rather than md5. After doing so I
> was unable to log in to either one of my ledger123 installations (both
> local). No manner of monkeying around, including changing ledger123
> passwords after the switch, seemed to help.
>
> This is what I found out, but I know no perl and have not crawled the
> ledger123 code so it is just supposition on my part, and is as far as I know
> relative to FreeBSD only.
>
> Open a terminal and log in as root. Keep this terminal open!
>
> To use blowfish encryption, in another terminal you alter /etc/login.conf
> from:
>
> default:\
> :passwd_format=md5:\
> :copyright=/etc/COPYRIGHT:\
>
> to this:
>
> default:\
> :passwd_format=blf:\
> :copyright=/etc/COPYRIGHT:\
>
> Then you do:
>
> cap_mkdb /etc/login.sh
>
> Then you change your passwords so that the current md5 password hash is
> re-created using the blowfish algorithm or you won't be able to log in
> (yikes!) This is the reason for keeping a bail-out root login on-hand as
> above. Everything is fine up to here. What I had done based on the
> instructions I was using is I also changed /etc/auth.conf from:
>
> # crypt_default = md5 des
>
> to:
>
> # crypt_default = md5 des
> crypt_default = blf
>
> This apparently causes the system to use blowfish for *all* encryption and
> that appears to break ledger123's perl code dealing with user logins. I have
> commented out the crypt_default line again (I might try setting it to 'md5')
> and replaced the ledger123 folder with a new copy (I have only two users to
> re-enter) and everything is OK so far: Blowfish for system logins and md5
> for "internal" encrypted application logins in userspace.
>
> My purpose in this letter is to issue a heads-up in case someone shoots
> themselves in the foot as I did and also because there have been namespace
> collisions demonstrated in md5 hashes. There are none, to the best of my
> knowledge, in blowfish hashes. It might make for a nice addition to
> ledger123/sql-ledger to allow or mandate blowfish encryption if there is
> perl to support that.
>
>
> Thanks for the changes you're applying to sql-ledger, and kindest regards
>
> r
>
--- End Message ---
_______________________________________________
SQL-Ledger mailing list
[email protected]
http://lists.ledger123.com/mailman/listinfo/sql-ledger
