[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 2nd Qs: proposed description of new pam_unix

> > prefix=$2a$ count=8	-- OpenBSD-style Blowfish-based hashes
> > 
> > Ideally, the PAM module should know nothing about these or other
> > supported hash types.  It shouldn't know how to process the prefix or
> > the count, -- these are to be passed into crypt_gensalt in libcrypt.
> is it possible to use OpenBSD Blowfish hashes on linux?  would it just
> involve a new libcrypt or what?

It involves a patch to glibc:


and a patch to your pam_pwdb/pam_unix module so that it (1) passes
unknown salt types directly into crypt(3) in libc/libcrypt and (2)
generates suitable salts for new passwords either itself or with a
call to crypt_gensalt() provided by the patched glibc.  Without
patching these two things, you will still be able to verify the
Blowfish-based hashes already in your shadow, but only for passwords
of up to 8 characters long (due to "bigcrypt" mess in pam_pwdb).
I have a patch to pam_pwdb that implements the syntax I've mentioned,
but it's a hack:


It would be nicer if the new pam_unix replacement is able to do the
Right Thing with fewer changes, if not out of the box.

Solar Designer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []