On Wed, Apr 16, 1997 at 03:56:47PM -0500, Adam Slattery wrote: > > Also, how do you plan to support password changing? Is it done in a > > modular way as well? If so, which modules are available? > > Pam_crypt already does this :). I think I discussed this in an earlier BTW, what I saw in this piece was one of the reasons I said your code is not clean enough. It has the same flaws that libpwdb and pam_unix do (may corrupt password files). (I've explained that on pam-list and security-audit last year.) > message but I'll give an overview. Everything dealing with a certain > hashing algorithm (md5, des, etc) is handled in a dynamically loadable > module specific to that algorithm, including password changing. In case > there was confusion, pam_crypt is functional (although in alpha release) and > has full support for md5, des, and now openbsd bcrypt. Support is also > included for vcblowfish, but I might drop this (mainly at the request of > solar designer) for reasons discussed earlier in this thread. I'm sure Thanks. > somebody has started work on an AES (Rijndael) crypt() implementation. That would be unfortunate. It's not the underlying cipher which is most important, and it is non-obvious if AES is a better choice. > Although I wouldn't recommend using this the day it comes out, pam_crypt > will provide an excellent way for the author to get people to adopt his > algorithm. Which is both good and bad. It's bad as it makes migration to other systems harder. Those other systems may lack PAM support or not use it for a particular service. > Take bcrypt for example: OpenBSD uses it. Solar Designer made a > glibc patch, but I haven't met anybody that actually uses it. When It's default in Mandrake 7.0 Russian Edition (no, I wasn't doing any development/packaging for them) and in Owl (which is still not public, but is used in a few places). > pam_crypt is more widely used, I can gaurantee you that a lot of people will > start using bcrypt on their linux boxes. In fact, I know somebody that does > this now with pam_crypt :-). With bcrypt, this is clearly the good part as bcrypt is already used on OpenBSD for some years now. > PS: What is up with this brazilian auto-responder thing? It is getting > extremely anoying. Does anybody else get messages from terra@zaz.com.br > whenever they post to the list? I think everyone does (I do). :-( -- /sd
