[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_crypt module will change the world

On Wed, Apr 16, 1997 at 03:56:47PM -0500, Adam Slattery wrote:
> > Also, how do you plan to support password changing? Is it done in a
> > modular way as well? If so, which modules are available?
> Pam_crypt already does this :). I think I discussed this in an earlier

BTW, what I saw in this piece was one of the reasons I said your code
is not clean enough.  It has the same flaws that libpwdb and pam_unix
do (may corrupt password files).  (I've explained that on pam-list and
security-audit last year.)

> message but I'll give an overview.  Everything dealing with a certain
> hashing algorithm (md5, des, etc) is handled in a dynamically loadable
> module specific to that algorithm, including password changing.  In case
> there was confusion, pam_crypt is functional (although in alpha release) and
> has full support for md5, des, and now openbsd bcrypt.  Support is also
> included for vcblowfish, but I might drop this (mainly at the request of
> solar designer) for reasons discussed earlier in this thread.  I'm sure


> somebody has started work on an AES (Rijndael) crypt() implementation.

That would be unfortunate.  It's not the underlying cipher which is
most important, and it is non-obvious if AES is a better choice.

> Although I wouldn't recommend using this the day it comes out, pam_crypt
> will provide an excellent way for the author to get people to adopt his
> algorithm.

Which is both good and bad.  It's bad as it makes migration to other
systems harder.  Those other systems may lack PAM support or not use
it for a particular service.

> Take bcrypt for example: OpenBSD uses it. Solar Designer made a
> glibc patch, but I haven't met anybody that actually uses it.  When

It's default in Mandrake 7.0 Russian Edition (no, I wasn't doing any
development/packaging for them) and in Owl (which is still not public,
but is used in a few places).

> pam_crypt is more widely used, I can gaurantee you that a lot of people will
> start using bcrypt on their linux boxes.  In fact, I know somebody that does
> this now with pam_crypt :-).

With bcrypt, this is clearly the good part as bcrypt is already used
on OpenBSD for some years now.

> PS: What is up with this brazilian auto-responder thing? It is getting
> extremely anoying. Does anybody else get messages from terra@zaz.com.br
> whenever they post to the list?

I think everyone does (I do). :-(


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []