Blowfish support in crypt() (glibc) ?
archaic at linuxfromscratch.org
Sun Jun 6 20:40:09 PDT 2004
On Mon, Jun 07, 2004 at 11:18:06AM +1000, Ryan.Oliver at pha.com.au wrote:
> > Anyone want to discuss or vote on this?
> I'd have to have a play with it, must admit I'm happy enough
> with MD5 crypt for system accounts that need passwords (of which
> there is only one (root), any accounts requiring passwords I generally
> shunt into kerberos).
And here comes the fun part of writing these books... Frankly, I've just
fiddled with Kerberos a little bit, but I like it and hope to implement
it more fully at some point. As far as openwall, they produce some rock
solid stuff, and since we are *mainly* directing at production servers,
OW is a pretty safe bet. However, is what they are offering really
valuable? As Ryan mentioned, there will rarely be more than one system
user with a password and many servers won't have more than one local
non-root user as many things are going to db lookups for virtual users.
We would really need a non-biased list of pros and cons of each method
of authentication first. Then we can talk about encryption.
But to get my 2cents in on encryption, Md5 and blowfish are still only
as safe as the user creating the password. I ran Djohn (the distributed
john the ripper server) with 3 fast clients on an intranet on some
random passwords hashed with MD5 and it seemed to still be good. After 8
days, john still hadn't figured out what I would call a relatively
simple alpha-numeric, no-uppercase password. It did crack it on the 9th
days, but this was 3 machines doing nothing but hammering on it. After
30 days, I killed the process on another password that had only 8 chars
with those chars being 3 lowercase, 4 numeric, and one non-alphanumeric.
So it seems that md5 is still quite good, however I'm not against
blowfish. I think we just need to get opinions first on what form of
authentication, and then decide on how to implement it.
People with personal experience using competeing methods should weigh
in, too, so we get more POV's.
Good intentions will always be pleaded for every assumption of
authority. It is hardly too strong to say that the Constitution was made
to guard the people against the dangers of good intentions. There are
men in all ages who mean to govern well, but they mean to govern. They
promise to be good masters, but they mean to be masters.
- Daniel Webster
More information about the hlfs-dev