[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_crypt module will change the world

I have a new pam module (pam_crypt) that currently has support for
authentication and password management.  Session and account management
could easily be added, but I currently don't see much of a reason... maybe
in a future release.

The main goal of the module is to provide a great deal of flexibility.  The
primary selling point is that a wide range of cryptographic algorithms can
be used (currently 3, this will increase significantly when other people
submit algorithm modules or I adapt a few more algorithms).  Currently there
is support for md5, des, and vcblowfish (formerly known as glibfish).

Currently I am going to be working on documentation updates (this email will
become the README file most likely :).  In the next week or so there should
be a new release
solely with more documentation.

If you are interested in playing with this, it can currently be found at:

I have done rather extensive testing and the module is currently usable.
There may be bugs, and I recommend you make a backup copy of your
/etc/passwd and /etc/shadow.  Beta testing a program that messes with
extremely important system files is not for the novice user. You have been
warned. Please submit bug reports though.

I have a question for the list. Is there anything I need to do to pam_crypt
before it can be added to the main Linux-PAM release?

Algorithms are supported via loadable modules (a la libdl).  Each algorithm
gets a loadable module and has 2 global functions that pam_crypt can call.
One is basically a crypt(3) compatible interface that will encrypt a key
given a salt and return the result (this is used for authentication
purposes).  The second is used when creating a new password based only on a
key.  The function is then responsible for getting a random salt (optionally
assisted by pam_crypt for getting random data).  After the new encrypted
password has been created the function must update the passwd (or shadow)
file. To do this the algorithm module relies on pam_crypt, which provides a
very simple interface that provides a very safe and secure method of
updating the appropriate file.  See the API file in the tarball for mroe

There is a main pam_crypt.so module that replaces pam_unix/pam_pwdb and is a
standard pam module.  Then there is a pam_crypt.conf file that has
information on algorithm modules and the various algorithms.  Each algorithm
is distinguised by a unique salt (md5 uses $1$, vcblowfish $VCB1$, des uses
no salt).  In the config file you can specify the algorithm to use for newly
created passwords, a method for obtaining random entropy for salt creation,
and the directory where algorithm modules can be found.

VCBlowfish (Variable Cost Blowfish) is a blowfish based implementation of
crypt() that supports variable length salts and an adjustable cost to slow
down password cracking attempts as hardware speed increases.  When I wrote
this algorithm, I borrowed some of the ideas presented by bcrypt (openbsd)
and included some of my own design ideas on how to make an algorithm that
would stand the test of time (unlike des, hehe).

Fully compatible with modules such as cracklib. It is more flexible than
pam_unix in that you can specify where the passwd file is, which is very
useful if you don't want to use system accounts for a given service (this
could be used with vsftp to create ftp user accounts without creating any
system accounts).

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []