0.2 Roadmap

Sebastian Faulborn sfaulborn at web.de
Wed Jul 26 06:11:33 PDT 2006

What about adding blowfish passwords which is a major improvement in 

Most people think that their server is save because they have done 
so nobody can break into their system from the outside.

However anyone who has access to the server could get the /etc/shadow
file (eg. reboot with Live-CD, get access to changed harddisk - replace
hotswap harddisk of raid1, etc.)

Its a matter of seconds to break md5 hashed passwords (eg. database
attack which works due to md5's small salt) or a brute force attack can
be done in hours/days due to its fast implementation.

Blowfish on the other hand can be made arbitrarily slow by defining a single
parameter - and hence can be adjusted to current hardware speed.
Due to the large salt, blowfish cannot be used with database attacks.

Installation is simple, allthough the hint has problems with OpenSSH:
- Ch.5 does not need blowfish passwords
- suppress installation of libcrypt in glibc
- install libxcrypt as in hint after GCC, before coreutils (which 
depends on libcrypt)
- instead of linking /usr/include/crypt.h to xcrypt.h, copy xcrypt.h and 
patch it
so that all the x*(...) functions are replaced by their names as in the 
crypt.h (remove all the #define)

If you don't do the last step, OpenSSH will segfault when trying to login.
OpenSSH has a function xcrypt() which calls crypt() which is defined in
xcrypt.h and hence in crypt.h as a #define to xcrypt() which
causes OpenSSH to call xcrypt() in an infinte loop until the stack 
A few other packages also have problems compiling without the patch.

If you would like, I could supply the text/patch.

Sebastian Faulborn
Homepage: http://www.secure-slinux.org

More information about the hlfs-dev mailing list