> > prefix=$2a$ count=8 -- OpenBSD-style Blowfish-based hashes > > > > Ideally, the PAM module should know nothing about these or other > > supported hash types. It shouldn't know how to process the prefix or > > the count, -- these are to be passed into crypt_gensalt in libcrypt. > > is it possible to use OpenBSD Blowfish hashes on linux? would it just > involve a new libcrypt or what? It involves a patch to glibc: http://www.openwall.com/crypt/ and a patch to your pam_pwdb/pam_unix module so that it (1) passes unknown salt types directly into crypt(3) in libc/libcrypt and (2) generates suitable salts for new passwords either itself or with a call to crypt_gensalt() provided by the patched glibc. Without patching these two things, you will still be able to verify the Blowfish-based hashes already in your shadow, but only for passwords of up to 8 characters long (due to "bigcrypt" mess in pam_pwdb). I have a patch to pam_pwdb that implements the syntax I've mentioned, but it's a hack: ftp://ftp.openwall.com/pvt/Linux-PAM-0.72-owl-pam_pwdb-hack.diff.gz It would be nicer if the new pam_unix replacement is able to do the Right Thing with fewer changes, if not out of the box. Signed, Solar Designer
