[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_crypt module will change the world



> Well, I think it would be nice to have getpwnam() be a source for
> pam_crypt.

Ok. This is priority #2. (After the sshd issue I found last night). I really
didn't think many people used non-default nsswitch.conf files, and I've had
several people ask me how to easily add non-system accounts for
name_your_service.  This was my reasoning for not using getpwnam.  I
definately made a big misjudgement.  I'd like to kill this discussion;
support will be added before I ask Andrew to include pam_crypt in Linux-PAM.
It might even be implemented in pam_crypt-0.0.4; we'll see :).


> Also, how do you plan to support password changing? Is it done in a
> modular way as well? If so, which modules are available?

Pam_crypt already does this :). I think I discussed this in an earlier
message but I'll give an overview.  Everything dealing with a certain
hashing algorithm (md5, des, etc) is handled in a dynamically loadable
module specific to that algorithm, including password changing.  In case
there was confusion, pam_crypt is functional (although in alpha release) and
has full support for md5, des, and now openbsd bcrypt.  Support is also
included for vcblowfish, but I might drop this (mainly at the request of
solar designer) for reasons discussed earlier in this thread.  I'm sure
somebody has started work on an AES (Rijndael) crypt() implementation.
Although I wouldn't recommend using this the day it comes out, pam_crypt
will provide an excellent way for the author to get people to adopt his
algorithm.  Take bcrypt for example: OpenBSD uses it. Solar Designer made a
glibc patch, but I haven't met anybody that actually uses it.  When
pam_crypt is more widely used, I can gaurantee you that a lot of people will
start using bcrypt on their linux boxes.  In fact, I know somebody that does
this now with pam_crypt :-).

Thanks. You guys have been a huge help in deciding the direction of
pam_crypt. I'll be out of town until tuesday night.
-Adam

Current primary site: http://www.whstechs.org/pam_crypt/
Alternate site:  http://seculinux.hackersclub.com/pam_crypt/


PS: What is up with this brazilian auto-responder thing? It is getting
extremely anoying. Does anybody else get messages from terra@zaz.com.br
whenever they post to the list?





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []