Blowfish Password Support meets Linux-PAM

Kevin Day thekevinday at gmail.com
Thu Jan 18 18:39:32 PST 2007


I've been spending some time (under uClibc) using Roberts
blowfish/shadow patch instructions.

The only problems I have had was
 1) ssh not logging on
 2) shadow was leaking memory

I generally have used Linux-PAM as I feel it adds more security (minus
the fact that it is extra code and increases "potential" security
problems), such as simple ldap support.

While trying to fix shadow and ssh, I decided to remove the
shadow-blowfish patch as well as the uClibc patch that removes the
normally compiled and installed libcrypt.so* files.

Once I did this, I had forgotten to change my Linux-PAM files in
/etc/pam.d/ to md5 from blowfish.
After I booted and logged into the system using a pre-built
passwd/shadow files where I once again forgot to change them to md5
format.

This occured to me after I logged in.  So, naturally, I thought I
screwed up and forgot to make the changes in the correct places.  I
did afterall leave libxcrypt in the installation process.

Turns out Linux-PAM supports blowfish passwords.  I was not aware of
this, and this may be quite useful to point out in the blowfish hint
Robert has made.

This also gives me another reason to push Linux-PAM onto the Hardened
LFS package listings.  I still have and use a uClibc patch to make
Linux-PAM work under uClibc that I made for Linux-PAM 0.80. It has
been adapted for Linux-PAM 0.99.7.0 quite nicely.

Blowfish passwords without any extra patches to make blowfish work
seems nice and feels quite safer to me than a patch to shadow. (and I
am still not clear what was causing shadow's memory leak, but it's
coincidental timing makes me suspect the shadow blowfish patch, but I
have no real or strong argument to say so other than valgrind pointing
to the shadow library amongst other leaks)

-- 
Kevin Day



More information about the hlfs-dev mailing list