[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 2nd Qs: proposed description of new pam_unix



> > prefix=$2a$ count=8	-- OpenBSD-style Blowfish-based hashes
> > 
> > Ideally, the PAM module should know nothing about these or other
> > supported hash types.  It shouldn't know how to process the prefix or
> > the count, -- these are to be passed into crypt_gensalt in libcrypt.
> 
> is it possible to use OpenBSD Blowfish hashes on linux?  would it just
> involve a new libcrypt or what?

It involves a patch to glibc:

	http://www.openwall.com/crypt/

and a patch to your pam_pwdb/pam_unix module so that it (1) passes
unknown salt types directly into crypt(3) in libc/libcrypt and (2)
generates suitable salts for new passwords either itself or with a
call to crypt_gensalt() provided by the patched glibc.  Without
patching these two things, you will still be able to verify the
Blowfish-based hashes already in your shadow, but only for passwords
of up to 8 characters long (due to "bigcrypt" mess in pam_pwdb).
I have a patch to pam_pwdb that implements the syntax I've mentioned,
but it's a hack:

	ftp://ftp.openwall.com/pvt/Linux-PAM-0.72-owl-pam_pwdb-hack.diff.gz

It would be nicer if the new pam_unix replacement is able to do the
Right Thing with fewer changes, if not out of the box.

Signed,
Solar Designer





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []