OVERVIEW: I have a new pam module (pam_crypt) that currently has support for authentication and password management. Session and account management could easily be added, but I currently don't see much of a reason... maybe in a future release. The main goal of the module is to provide a great deal of flexibility. The primary selling point is that a wide range of cryptographic algorithms can be used (currently 3, this will increase significantly when other people submit algorithm modules or I adapt a few more algorithms). Currently there is support for md5, des, and vcblowfish (formerly known as glibfish). Currently I am going to be working on documentation updates (this email will become the README file most likely :). In the next week or so there should be a new release solely with more documentation. If you are interested in playing with this, it can currently be found at: http://www.whstechs.org/pam_crypt/ I have done rather extensive testing and the module is currently usable. There may be bugs, and I recommend you make a backup copy of your /etc/passwd and /etc/shadow. Beta testing a program that messes with extremely important system files is not for the novice user. You have been warned. Please submit bug reports though. I have a question for the list. Is there anything I need to do to pam_crypt before it can be added to the main Linux-PAM release? ALGORITHM MODULES: Algorithms are supported via loadable modules (a la libdl). Each algorithm gets a loadable module and has 2 global functions that pam_crypt can call. One is basically a crypt(3) compatible interface that will encrypt a key given a salt and return the result (this is used for authentication purposes). The second is used when creating a new password based only on a key. The function is then responsible for getting a random salt (optionally assisted by pam_crypt for getting random data). After the new encrypted password has been created the function must update the passwd (or shadow) file. To do this the algorithm module relies on pam_crypt, which provides a very simple interface that provides a very safe and secure method of updating the appropriate file. See the API file in the tarball for mroe information SPECIFICATIONS: There is a main pam_crypt.so module that replaces pam_unix/pam_pwdb and is a standard pam module. Then there is a pam_crypt.conf file that has information on algorithm modules and the various algorithms. Each algorithm is distinguised by a unique salt (md5 uses $1$, vcblowfish $VCB1$, des uses no salt). In the config file you can specify the algorithm to use for newly created passwords, a method for obtaining random entropy for salt creation, and the directory where algorithm modules can be found. VCBLOWFISH: VCBlowfish (Variable Cost Blowfish) is a blowfish based implementation of crypt() that supports variable length salts and an adjustable cost to slow down password cracking attempts as hardware speed increases. When I wrote this algorithm, I borrowed some of the ideas presented by bcrypt (openbsd) and included some of my own design ideas on how to make an algorithm that would stand the test of time (unlike des, hehe). ELITE EXTRAS: Fully compatible with modules such as cracklib. It is more flexible than pam_unix in that you can specify where the passwd file is, which is very useful if you don't want to use system accounts for a given service (this could be used with vsftp to create ftp user accounts without creating any system accounts).
