From f46bd38f387f0a580e134388086321b03e6b17d3 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Fri, 16 Apr 2021 19:33:21 +0200 Subject: do away with legacy crypt types it is the responsibility of libcrypt to implement crypt types --- README | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'README') diff --git a/README b/README index bf9eacd..2c46cd1 100644 --- a/README +++ b/README @@ -25,7 +25,6 @@ options * debug: produce a bit of debug output * nodelay: don't tell the PAM stack to cause a delay on auth failure * flock: use a shared (read) advisory lock on pwdfile, you should better move new versions into place instead -* legacy_crypt: see section LEGACY CRYPT PASSWORD FILE @@ -36,19 +35,3 @@ First field contains the username, the second the crypt()ed password. Other fields are optional. crypt()ed passwords in various formats can be generated with mkpasswd from the whois package. - - -LEGACY CRYPT -============ - -There are two crypt types that are disabled by default: bigcrypt and broken md5_crypt. -They are disabled because they use static buffers which is bad when doing PAM authentication using this module in a multithreaded server. -All the other crypt types are checked via the systems crypt_r function if available, else with the normal crypt function and the same static-buffer-problem. - -bigcrypt was used on DEC systems to allow for longer passwords. -You can check if your passwd file contains any of these with `cut -d: -f2 passwd-file | egrep '^[^$].{13}'`. - -Broken md5_crypt is a speciality of big-endian systems. -An early implementation of md5_crypt got the byte order wrong here and produced different crypt outputs. -You might have some of these crypt hashes in your passwd file only if you created them on a big-endian system. -If an md5_crypt hash also worked on a little-endian system (up to and including libpam-pwdfile 0.99) it isn't broken md5_crypt. -- cgit v1.2.3