On Sun, Feb 01, 2015 at 11:59:45PM -0600, Rob Landley wrote: > > > On 02/01/2015 10:19 PM, Rich Felker wrote: > > On Mon, Feb 02, 2015 at 10:33:24AM +0900, 김혜진 wrote: > >> Hello. I share a patch of su command. > ... > > md5 is not better and probably worse than des. You should be using > > bcrypt if the system supports it and otherwise sha256, sha512, or the > > enhanced des support some systems have. These could be tried as > > sequential fallbacks. > > A) I was just going to use the encryption the first entry (presumably > root) had, given a choice. (Although again, if the android mechanism > doesn't let you get a user list... presumably they still have uid 0 though.)
This sounds unreliable; in hardened environments you might not be able to get another user's password hash. (Of course such environments may require modifications/tweaks to the passwd utility but it would be nice to keep the amount of modification required minimal.) Simply trying different "setting" strings for each known algorithm in decreasing order of strength and using the first one that works seems a lot smarter. > B) des salt is 4096 possible entries, _anything_ else lets you use more > salt. md5crypt has been EOL'd by its author and really should not be used as a default for anything new. See: http://phk.freebsd.dk/sagas/md5crypt_eol.html Rich _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
