Feature Proposal: Transparent upgrade of crypt() algorithms
Xin Li
delphij at delphij.net
Fri Mar 7 22:06:45 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote:
> Allan Jude wrote:
>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote:
>>> Allan Jude wrote:
>>>
>>> [...]
>>>
>>>> Honestly, my use case is just silently upgrading the strength
>>>> of the hashing algorithm (when combined with my other feature
>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$
>>>> or something. Same applies for the default sha512, maybe I
>>>> want to update to rounds=15000
>>>
>>> Like this?
>>>
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518
>>>
>>> Request for comments:
>>>
>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903
>>>
>>
>> This looks like what we wanted. In the feedback you talked about
>> some changes to your patch required to make it work, is there any
>> progress on those?
>
> Derek's patches worked perfectly for our needs, but we're the sort
> of people who use vipw and our own utilities for user management.
> It wasn't until later that we discovered at least one other file
> would need patching to satisfy everyone. We didn't want to employ
> the same copy-pasta method, so we asked for feedback about our
> proposed alternative.
>
> secteam@, do you have any comments? Before we put any more work
> into this, we want to be sure that our proposal is an acceptable
> one.
>
Did you mean adding rounds capability, or transparent upgrade of
crypt() algorithms, or both?
I need some time to digest the whole transparent upgrade idea but in
general I think it's good.
Speaking for adding rounds, the only problem that needs to be fixed is
that the proposed patch makes it possible to create conflicting
configuration (passwd_format and passwd_modular can use different
hashing algorithms) and need to be fixed and polished. I like the
idea of making it possible to use more rounds though.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTGkLzAAoJEJW2GBstM+nsaVoP/017iARGzd++lCsfqyFDozGk
nXJjatlrIcRjrbCmVRT0lsHiK/hoYJ4zZPeOu8EXU1Qs0/wggGHYePX7+zEVob2S
YCxhqUOdG/jqrHnH8bljzWE/OtI7Y4PvFOLpsWkOE/uulssQfGDMSy8WJzFriqzv
GXjAEyFrGXCT29gW6ozTRfDfPSOfd4MhwewbMYAUykSqucMfkG4FaDAgLxv/XdRi
YmLQZuxxTzEqMYanZGq/0e5CvOwOuncd0aVxncJC8ZRcsHs5cqbzcyDkkRwvw/YU
g1OsLXiO08zej0rOz1E4pud8O6q3unG5dNcz9Y96oNo0fJONMrk9IetCUCHBsR8N
eyWJQyHL7wwwNlC5k8U9cOnsL3zxBv54N6bfWuWNNDpJmNrvgMr9LdPso+AX0gLD
y4RhVJeLCQbLrkQawoM1+Ki5N0mQibk9BBGXH/ZPScP1pNqVt9tqXp94N5ZPLV54
Uu4cn/2uKjtTjl76YFlCTvfwwiuWgds1k6CnKZIW8luOp4cG5XOoOSztONqWr6S/
yd7SLDV4f8PC7Fi1iSkSuVW5MYz1I7RRVR1Z27oV3e3UwXwIgqRjHJawNZqIgVe1
4lk84+fm75ULLfiA6bgkMCjylyWHCzrdOQt/Zx+0vyZOer5x2p4gZmnYAyV2EQIP
TM611j1UES6OUGFkfbWa
=4Qur
-----END PGP SIGNATURE-----
More information about the freebsd-current
mailing list