summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
authorTimo Weingärtner <timo@tiwe.de>2013-09-29 16:05:34 +0200
committerTimo Weingärtner <timo@tiwe.de>2013-09-29 16:05:34 +0200
commit77830392bfb48d280d6079167ca0877cb657066b (patch)
treee31ecf74581dfd11bc55e7f1b10436d832f10680 /README
parent47abe0b5581ffbce0e82b84f1689083e110bd292 (diff)
parent8f0e412b48178c00abd023917dd2c9050ee89c18 (diff)
downloadlibpam-pwdfile-77830392bfb48d280d6079167ca0877cb657066b.tar.gz
Merge tag 'v1.0' into debian
release 1.0
Diffstat (limited to 'README')
-rw-r--r--README20
1 files changed, 18 insertions, 2 deletions
diff --git a/README b/README
index 568cf5a..bf9eacd 100644
--- a/README
+++ b/README
@@ -25,7 +25,7 @@ options
* debug: produce a bit of debug output
* nodelay: don't tell the PAM stack to cause a delay on auth failure
* flock: use a shared (read) advisory lock on pwdfile, you should better move new versions into place instead
-* legacy_crypt: turns on bigcrypt and "broken md5_crypt", you will only need that if you use password hashes from another system that uses those algorithms
+* legacy_crypt: see section LEGACY CRYPT
PASSWORD FILE
@@ -33,6 +33,22 @@ PASSWORD FILE
The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields.
First field contains the username, the second the crypt()ed password.
-Other field are optional.
+Other fields are optional.
crypt()ed passwords in various formats can be generated with mkpasswd from the whois package.
+
+
+LEGACY CRYPT
+============
+
+There are two crypt types that are disabled by default: bigcrypt and broken md5_crypt.
+They are disabled because they use static buffers which is bad when doing PAM authentication using this module in a multithreaded server.
+All the other crypt types are checked via the systems crypt_r function if available, else with the normal crypt function and the same static-buffer-problem.
+
+bigcrypt was used on DEC systems to allow for longer passwords.
+You can check if your passwd file contains any of these with `cut -d: -f2 passwd-file | egrep '^[^$].{13}'`.
+
+Broken md5_crypt is a speciality of big-endian systems.
+An early implementation of md5_crypt got the byte order wrong here and produced different crypt outputs.
+You might have some of these crypt hashes in your passwd file only if you created them on a big-endian system.
+If an md5_crypt hash also worked on a little-endian system (up to and including libpam-pwdfile 0.99) it isn't broken md5_crypt.