Blowfish Password Support meets Linux-PAM
thekevinday at gmail.com
Thu Jan 18 18:39:32 PST 2007
I've been spending some time (under uClibc) using Roberts
blowfish/shadow patch instructions.
The only problems I have had was
1) ssh not logging on
2) shadow was leaking memory
I generally have used Linux-PAM as I feel it adds more security (minus
the fact that it is extra code and increases "potential" security
problems), such as simple ldap support.
While trying to fix shadow and ssh, I decided to remove the
shadow-blowfish patch as well as the uClibc patch that removes the
normally compiled and installed libcrypt.so* files.
Once I did this, I had forgotten to change my Linux-PAM files in
/etc/pam.d/ to md5 from blowfish.
After I booted and logged into the system using a pre-built
passwd/shadow files where I once again forgot to change them to md5
This occured to me after I logged in. So, naturally, I thought I
screwed up and forgot to make the changes in the correct places. I
did afterall leave libxcrypt in the installation process.
Turns out Linux-PAM supports blowfish passwords. I was not aware of
this, and this may be quite useful to point out in the blowfish hint
Robert has made.
This also gives me another reason to push Linux-PAM onto the Hardened
LFS package listings. I still have and use a uClibc patch to make
Linux-PAM work under uClibc that I made for Linux-PAM 0.80. It has
been adapted for Linux-PAM 0.99.7.0 quite nicely.
Blowfish passwords without any extra patches to make blowfish work
seems nice and feels quite safer to me than a patch to shadow. (and I
am still not clear what was causing shadow's memory leak, but it's
coincidental timing makes me suspect the shadow blowfish patch, but I
have no real or strong argument to say so other than valgrind pointing
to the shadow library amongst other leaks)
More information about the hlfs-dev