diff options
author | Timo Weingärtner <timo@tiwe.de> | 2013-09-26 16:29:26 +0200 |
---|---|---|
committer | Timo Weingärtner <timo@tiwe.de> | 2013-09-26 16:29:48 +0200 |
commit | 5e5588cd1edfbab1889537b93ae13b159f76caff (patch) | |
tree | a858051c420210688da9267774defe21f96e1b3e | |
parent | 235369330e1c1366e5c7cb31561cdb673703ad58 (diff) | |
download | libpam-pwdfile-5e5588cd1edfbab1889537b93ae13b159f76caff.tar.gz |
README: describe legacy_crypt in more detail
-rw-r--r-- | README | 18 |
1 files changed, 17 insertions, 1 deletions
@@ -25,7 +25,7 @@ options * debug: produce a bit of debug output * nodelay: don't tell the PAM stack to cause a delay on auth failure * flock: use a shared (read) advisory lock on pwdfile, you should better move new versions into place instead -* legacy_crypt: turns on bigcrypt and "broken md5_crypt", you will only need that if you use password hashes from another system that uses those algorithms +* legacy_crypt: see section LEGACY CRYPT PASSWORD FILE @@ -36,3 +36,19 @@ First field contains the username, the second the crypt()ed password. Other fields are optional. crypt()ed passwords in various formats can be generated with mkpasswd from the whois package. + + +LEGACY CRYPT +============ + +There are two crypt types that are disabled by default: bigcrypt and broken md5_crypt. +They are disabled because they use static buffers which is bad when doing PAM authentication using this module in a multithreaded server. +All the other crypt types are checked via the systems crypt_r function if available, else with the normal crypt function and the same static-buffer-problem. + +bigcrypt was used on DEC systems to allow for longer passwords. +You can check if your passwd file contains any of these with `cut -d: -f2 passwd-file | egrep '^[^$].{13}'`. + +Broken md5_crypt is a speciality of big-endian systems. +An early implementation of md5_crypt got the byte order wrong here and produced different crypt outputs. +You might have some of these crypt hashes in your passwd file only if you created them on a big-endian system. +If an md5_crypt hash also worked on a little-endian system (up to and including libpam-pwdfile 0.99) it isn't broken md5_crypt. |