Home page logo

oss-sec logo oss-sec mailing list archives

Re: weird crypt-sha* in DragonFly BSD
From: "Samuel J. Greear" <sjg () thesjg com>
Date: Fri, 20 Jan 2012 12:52:26 -0700

2. Instead of:

+ * The deprecated sha256/512 functions are somehow sensitive to the
+ * order of this crypt_types array as well as their respective "name"
+ *
+ * In order to ensure that both existing passwords will continue to work
+ * that new passwords will be more secure by using the new algorithms
+ * without updating the existing login.conf, this array is now scanned
+ * backwards. This could be reverted in the future when the deprecated
+ * functionality is removed.

how about using the more reliable approach proposed by magnum here? -


As you can see, he has even spent time to identify the specific 64-bit
magic values.  Of course, you'll need to double-check them (such as by
applying the patch and testing logins to existing accounts with both
sha256 and sha512 on a 64-bit DragonFly system.)

There isn't a collision issue with $3$ and $4$ on DragonFly, so I don't
see any obvious need. I intend to rip the old code out after a few
releases, so the issue (if there is one) will be (relatively) short lived.

We just realized that we obviously need to do this.

Thanks again,

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]