On Thu, 21 Oct 1999, Brian Lavender wrote:
> On Thu, Oct 21, 1999 at 10:30:40PM -0700, Mike Machado wrote:
> > On Thu, 21 Oct 1999, Brian Lavender wrote:
> >
> > > As I understand, Debian slink comes with MD5 crypt because of export
> > > restrictions.
> >
> > To respond to this part of the message, MD5 os way more secure than DES.
> > It looks like a lot of systems are moving to MD5. Heck, cisco has been
> > using it for years. I would reccomend using it instead of DES. I have a
> > crypt library that will detect if the pass was crypted using MD5 or DES
> > and authenticate someone based on that if you want it. I also modified
> > the MD5 perl module to be able to generate MD5 shadow entries which is
> > useful for password changeing programs in perl.
>
> >From the results of my experiment of rebuilding glibc, it seems that I
> rebuilt what was already there (Reinvented the wheel. DOH!). It looks
> as if the crypt is already there on the one of my two debian installs
> which I did not rebuild glibc. The crypt program I compiled produced the
> same results. I don't know if I was short sighted in my test program,
> but I was under the impression that most linux distros shipped a weak
> crypt because of export restrictions, and they did not want to get caught
> in a tangle. Am I correct to conclude that the crypt (I guess I should
> say crypt) is perfectly fine with its existing setup?
>
> Any more comments?
>
> I assume shadow passwords provides good security. I just thought that
> the current password setup on current systems was more easily crackable
> than what was available because of export restrictions.
>
Wanna see something cool? If you really have MD5 crpyt, chanage that C
program you posted to use a salt of $1$abcde$ and see what the output is.
The crypt code looks for the $1$ to determine if it should do regular DES
or MD5.
> >
> > I want to have a real crypt so I went to a german ftp
> > > server, found glibc 2.0.7 source and I downloaded it. Of course the real
> > > crypt is in a separate tar file. I downloaded that too and unpacked it
> > > in the glibc source tree I read the faq as far as compiling glibc and
> > > it said to do a configure like
> > >
> > > ./configure --enable-add-ons=crypt,linuxthreads
>
> BTW, this is what I used in the end with configure. The readme warns that
> a bad or incompatible glibc will break your system. I got the same version
> as the original and added the add-ons
>
> $ ./configure --enable-add-ons=crypt,linuxthreads --prefix=/usr
>
> > >
> > > What I am wondering is, is glibc on slink compiled in with linux threads? It
> > > seems as if there are issues either way and that I probably ought to
> > > go with it if it was compiled in originally.
> > >
> > > I am supposing that I can do the above configure and the following steps, and I should have glibc with crypt
> > >
> > > make
> > > su
> > > make install
> > >
> > > Here is the ftp site where I got crypt for glibc.
> > >
> > > ftp://ftp.gwdg.de/pub/linux/glibc/2.0.7pre6
> > >
> > > brian
> > > --
> > > Brian Lavender
> > > http://www.brie.com/brian/
> > >
> >
> > Mike Machado
> > mike@innercite.com
> > InnerCite
> > Network Specialist
>
> --
> Brian Lavender
> http://www.brie.com/brian/
>
Mike Machado
mike@innercite.com
InnerCite
Network Specialist
This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:07 PST