[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: xlock (was Re: libcrypt info)

From: Marek Michalkiewicz <marekm i17linuxb ists pwr wroc pl>
To: pam-list redhat com
Subject: Re: xlock (was Re: libcrypt info)
Date: Wed, 12 Jun 1996 00:06:51 +0200 (MET DST)

Andrew Morgan:
> IMHO, the keep it simple rule should apply to modules. This is after
> all one of the advantages of a modular approach to authentication.  I
> think MD5 password encryption should be its own module. A pluggable
> replacement to the unix one. I'd opt for pam_unix vs. pam_unix_md5

But pam_unix_md5 has to be compatible with traditional DES passwords
too - so it could well always be used instead of pam_unix, and thus
renamed to pam_unix :-).  The situation here is similar to pam_unix
vs. pam_shadow (or, as I prefer to call them, pam_v7 vs. pam_unix).
There may be several password hashing algorithms, but it's still
basically the same authentication method.

> as to whether one can constuct messages for 'any' given MD5 digest
> turns out to be real.. (see news:sci.crypt for more info) RIPEMD-160

It wouldn't be good, MD5 is so widely used and trusted...  The new
MD5-based crypt() came from FreeBSD - we'll see what they will do
when MD5 turns out to be weak.  But it may still be hard to break
because it's not just one MD5 hash, it is iterated many times to
slow things down.

At least the new format allows for different magic strings for
different algorithms, so adding a new one in a backward-compatible
way shouldn't be too difficult.

Regards,

Marek

Follow-Ups:
- Re: xlock (was Re: libcrypt info)
  - From: Elliot Lee <sopwith@redhat.com>

References:
- Re: xlock (was Re: libcrypt info)
  - From: morgan@physics.ucla.edu (Andrew Morgan)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []