Fwd: crypt_blowfish 0.4.6

Robert Connolly robert at linuxfromscratch.org
Tue Apr 27 14:27:01 PDT 2004


On April 27, 2004 06:55 am, Rogelio Serrano wrote:
> On 2004-04-27 18:43:35 +0800 Robert Connolly
>
> <robert at linuxfromscratch.org> wrote:
> > On April 26, 2004 07:26 am, Archaic wrote:
> >> ----- Forwarded message from Solar Designer
> >> <solar at openwall.com> -----
> >> A new version of the password hashing package, crypt_blowfish
> >> 0.4.6,
> >> has been released.
> >
> > I can install libxcrypt and crypt_blowfish fine. My problem is
> > getting shadow
> > and/or pam to use it.
>
> i think its not necessary to use shadow or pam with crypt
> blowfish. it was designed to be public readable because its
> security depends on a dictionary attack being too slow. with 55
> byte passwords i think thats secure enough. im using it now on
> a uclibc system and i used a very high round value of 12. it
> takes about 1.5 seconds to compute the hash value when i login
> in a athlon 1900+ system. openbsd uses 6 rounds i think and
> their /etc/passwd is world readable. im actually using the srp
> verifier instead of the hash in my world readable /etc/passwd.
> this way srp logins are supported directly and local logins
> compute the verifier directly from the password. im not using
> ssh at all.

Owl and Suse are using this library with shadow. I don't think we need to 
remove shadow to use blowfish. I don't think we would want to either. obsd's 
password file isn't world readable, they use /etc/master.passwd. 




More information about the hlfs-dev mailing list