[CFR] Re: [patch] libcrypt & friends - modular crypt format support in /etc/login.conf

John-Mark Gurney jmg at funkthat.com
Wed Feb 11 02:19:14 UTC 2015 

Derek (freebsd lists) wrote this message on Tue, Feb 10, 2015 at 07:26 -0500:
> I've been working on this for a while, and I've produced a patch 
> that does a few things with the base system:
> 
> 1. allows modular crypt to be specified as passwd_format in 
> /etc/login.conf
>    - this allows setting the algorithm *and rounds*, i.e. $2b$10$ 
> for users of varying classes.
>    - this will allow any future algorithms and parameters 
> supported by crypt(3) to be supported by the tools around login.conf
> 
> 2. introduces a new api, crypt_makesalt which will generate an 
> appropriate salt for any algorithm selected
> 
> 3. updates userland to use this API, and removes totally the 
> {crypt_set_format, login_setcryptfmt, login_getcryptfmt} APIs
> 
> 4. switches crypt algorithms to use thread-local storage, so the 
> good old global crypt buffer is thread-local
> 
> 5. includes a bunch of new test vectors for libcrypt ATF tests
> 
> 
> There are references to previous discussions/patches/etc here:
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182518
> 
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=168499+0+/usr/local/www/db/text/2013/freebsd-current/20131006.freebsd-current
> 
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=361757+0+/usr/local/www/db/text/2014/freebsd-current/20140112.freebsd-current
> 
> 
> And most recent discussion here:
> 
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1751919+0+archive/2014/freebsd-current/20140716.freebsd-current
> 
> 
> Anyways, I've put a bunch of work into this, and am anxious to 
> actually get this accepted into -HEAD.
> 
> 
> 
> What more can I do at this point?

I finally got around to reviewing this...

For the tests, we should probably add an invalid password test for
each format...

We need man pages for the new function...  I guess this new man
page would be a good place to document all the modular formats in
more detail..  what is in crypt(3) isn't that useful...  Also,
crypt(3) should have an xref to crypt_makesalt...

Other than those, unless someone objects, I'll commit it...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the freebsd-security mailing list