system password's file

Robert Watson rwatson at FreeBSD.org
Fri Oct 14 05:17:11 PDT 2005 

On Fri, 14 Oct 2005, Sergey Babkin wrote:

>> The main man page you want to look at is passwd(5), which documents the 
>> formats of the /etc/master.passwd and /etc/passwd file.  In FreeBSD, 
>> the master.passwd file is the equivilent of the shadow file in Linux. 
>> What you want to do is convert the Linux password files to the 
>> master.passwd file in FreeBSD, and then run
>
> Historically the problem has been that FreeBSD used its own MD5 
> algorithm for encrypting the passwords which was incompatible with any 
> other Unix, so just copying the password field to FreeBSD did not work. 
> I don't know if it's fixed now or not. The reason for that was in the US 
> cryptography export regulations, and those have been improved in the 
> last few years. In any case, even if it's not directly supported then 
> probably a PAM module can still be written.
>
> Hm, considering the we'd like people to migrate from Linux to FreeBSD, 
> having such a conversion script/program (especially if someone writes it 
> for their own use anyway) in the base system would make a lot of sense.

As far as I know, we've been able to read the DES hashes without a problem 
as long as the right optional crypto bits were installed.  Sometime in the 
4.x series, the optional crypto bits become less optional, in that because 
of changes in patents and export policy, integrating them tightly became a 
more possible.  These days, the DES bits are installed by default, and so 
portable DES hashes should "just work".

However, we do write them out in the MD5 hash still by default, so the 
problem is not getting to a recent FreeBSD, but to switch away later 
should that be desirable.  There's a login.conf entry you can use to 
specify a preference for what hash to use when writing out a new entry, 
and this is trivially changeable:

         :passwd_format=md5:

If you are running in a multi-OS environment using shared password 
database entries, such as NIS, you will want to set the default to DES if 
other systems don't support the md5 scheme (which is supported on an 
increasing number of other systems), in order that password changes on a 
FreeBSD system don't leave you unable to log into other systems.

Robert N M Watson

More information about the freebsd-hackers mailing list