Re: Feature Proposal: Transparent upgrade of crypt() algorithms
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 2014-03-07 17:06, Xin Li wrote:
> Hi,
>=20
> On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote:
>> Allan Jude wrote:
>>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote:
>>>> Allan Jude wrote:
>>>>
>>>> [...]
>>>>
>>>>> Honestly, my use case is just silently upgrading the strength
>>>>> of the hashing algorithm (when combined with my other feature
>>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$
>>>>> or something. Same applies for the default sha512, maybe I
>>>>> want to update to rounds=3D15000
>>>>
>>>> Like this?
>>>>
>>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D182518
>>>>
>>>> Request for comments:
>>>>
>>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903
>>>>
>>>
>>> This looks like what we wanted. In the feedback you talked about
>>> some changes to your patch required to make it work, is there any
>>> progress on those?
>=20
>> Derek's patches worked perfectly for our needs, but we're the sort
>> of people who use vipw and our own utilities for user management.
>> It wasn't until later that we discovered at least one other file
>> would need patching to satisfy everyone. We didn't want to employ
>> the same copy-pasta method, so we asked for feedback about our
>> proposed alternative.
>=20
>> secteam@, do you have any comments? Before we put any more work
>> into this, we want to be sure that our proposal is an acceptable
>> one.
>=20
>=20
> Did you mean adding rounds capability, or transparent upgrade of
> crypt() algorithms, or both?
There are 2 separate but related threads
1) specify rounds for crypt()
2) transparent upgrade of crypt() algo (or more likely just number of
rounds)
>=20
> I need some time to digest the whole transparent upgrade idea but in
> general I think it's good.
>=20
> Speaking for adding rounds, the only problem that needs to be fixed is
> that the proposed patch makes it possible to create conflicting
> configuration (passwd_format and passwd_modular can use different
> hashing algorithms) and need to be fixed and polished. I like the
> idea of making it possible to use more rounds though.
>=20
> Cheers,
>=20
--=20
Allan Jude
--kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTGk3hAAoJEJrBFpNRJZKfNiYP/0LZM+JWtdLr5ORh7aXXP5L0
olojR8v9O5JgSAZ5LT90WQ4H/tIeJLcmltrW6lr1+oHWegxdq1sMo1vJo9yePUUR
8UeZ6tVtjdblu9IFoeKZwb1RMsKyJcOfUojWZgKyVStxGIZ248/rL4zqaUA+Zujh
wT4jSC9nZx88wzy2IbLL0vR7VPG7bkxnUtiUstIB/ENDZbkjz1ynKX3hx+rNfpuI
fMUMpREnZ+oxU4vB9/pwPytB3krFkPNpcrClqWWEWI9Wphw3Lqr1pvJsYYZ4l8XU
PcLf7D6ir52U+RAmACIU0LtAgy59mecbtkj24hsfS6ywDMbqubc2SG078AUxWFwz
Djxrk+DuBUZUYlBgRohY2MgvyszN+adzUpwNzWXNb1eRpDKQVoXuBF1cSzZ/Z8HA
RRGXzWQaKF+ka29cEIRcSXcC/Bi27BPaWBqxr9fLIQJ5QXJNccbUbftCQUpyUGuL
AtCymZW64jKoMdctOHTP3EU4kBCEeUl4O5azVqULpyGvalas0MUDd1E4PJ1ohwkP
AJ2u0b6lvjNTlqB4KDb2msmaZmvPAVCKZVRqIHQjLVcsA42sfVOtkDfn0jYH2NUU
wbOE5AYgKb3q8YztDwShE9fDVo7HvtRzp62AKnjZq9yNZzfpiP3ey1dE7+A1Hg1D
No7/IdZH94KVC0HcEXcW
=WKjN
-----END PGP SIGNATURE-----
--kN5MUE7NooA3HWAQt4Osct65qbTiqa8qT--
討論串 (同標題文章)
完整討論串 (本文為第 17 之 27 篇):