> > > > Let me also suggest something: stop using non-iterated SHA-1 hashes > > before they're used any wider. Use a modern iterated hash intended > > for passwords instead. It would be best to use crypt(3) available on > > the system, and let the administrator choose the hashing method (with > > a prefix/count pair). > > Why? The combination of SHA1 and modexp used in EPS seems to give a > pretty good level of security. SHA1 alone is probably secure enough as a cryptographic hash. It's not the point I was making. > If it makes you feel any better, the > hash can be iterated if an optional count is specified. Yes, it does make me feel better: my users need to memorize secrets that are ~16 bits smaller. I suggest that you also drop SHA1 and use one of the hashes already provided by the system via crypt(3), as these hashes will change to meet the properties we will want from them in the future (I already have some concerns on bcrypt). > > With the SHA-1 hashes, I'd rather avoid using SRP/EPS on my systems. > > I don't understand this comment - the EPS hashes work pretty well on my > systems, and SRP solves a bunch of network security problems once EPS > passwords are set. _Network_ protocol security problems, yes, but with your current implementation, this is done at the expense of the ease of recovering from a successful break-in. This is what I don't like. Please, CC me on your pam-list replies, or let's move to private mail as this isn't really a PAM topic. Signed, Solar Designer