Subject: PEOPLE WITHOUT CRYPT(), BEWARE!!!
To: None <current-users@NetBSD.ORG>
From: Chris G Demetriou <Chris_G_Demetriou@LAGAVULIN.PDL.CS.CMU.EDU>
List: current-users
Date: 02/19/1995 08:00:23
If you're using NetBSD without the security distribution, either
because you didn't bother grabbing it, or because you're outside the
US and therefore can't use the 'official' one and don't want to use a
foreign version, BEWARE!

It took a bit longer for me to get around to it than i expected but
i've finally replaced the dummy crypt routines with a real-but-broken
version.  The next time you recompile and reinstall /usr/src/lib/libcrypt,
dynamically-linked binaries that use crypt() won't work as you expect,
if you've previously been using plaintext passwords.  Be sure to fix
the passwords in your password file before you install a new libcrypt.

The new version is exportable, because it includes a broken decryption
mechanism.  (In point of fact, the new version is that which is
distributed by UC Berkeley in the foreign versions of the Net/2 and
4.4-Lite tapes.)  Since password encryption uses no decryption, the
new version will work fine for passwords.


This change is also accompanied by a minor reorganization of the
source tree: a new hierarchy, /usr/src/domestic, has been created, for
sources which aren't exportable from the US.  none of the "for export" sup
distributions include this directory, and (since it is a top-level
hierarchy in the source tree) it is a separate tar file.  It's
expected that if you're supping or ftping from outside the US, you'll
only take files which are exportable.


cgd