Subject: Re: Making Linux use Blowfish for passwd/shadow encryption From: Ethan Benson <erbenson@xxxxxxxxxx> Date: Wed, 24 Sep 2003 22:33:17 -0800 To: pam-list@xxxxxxxxxx
On Wed, Sep 24, 2003 at 06:34:58PM +0400, Solar Designer wrote:
On Wed, Sep 24, 2003 at 03:11:33PM +0100, Mark Watts wrote:
I'm currently converting an old OpenBSD box to linux, and I need to move the user accounts across.
Short of cracking the blowfish password hashes in master.passwd, can I make Linux (PAM) use blowfish instead of md5 so I don't need to convert the hashes?
Yes.
The easiest is to install a distribution which already includes support for those hashes "out of the box". You can try ours:
http://www.openwall.com/Owl/
Or one from ALT Linux team:
http://www.altlinux.com
Alternatively, you may "patch" the support into whatever distribution you have, using these packages:
http://www.openwall.com/crypt/ http://www.openwall.com/tcb/
is there any particular reason more distros haven't adopted these patches? all the major players already distribute strong crypto so that can't be the reason...
------------------------------------------------------------------------
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
Well, if all the applications that would need to authenticate use PAM, someone could write a PAM module (or a patch on pam_unix) that checks if the stored hash is a Blowfish hash (what's the code, $2?) and checks it itself, and if not, passes it on to crypt(). That would take some coding and a knowledge of Blowfish, but it's not as invasive as installing a new libc.
I've done something similar using Apache password hashes - expect to see me post the code to this list within the next couple of weeks.
Rennie deGraaf
-- -ASCII silly question, get a silly ANSI. -????
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
