Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Which password cipher ?

On 12/1/10 11:49 AM, Steven Bellovin wrote:
On Dec 1, 2010, at 6:14 05AM, Julio Merino wrote:

On 12/1/10 10:59 AM, Robert Elz wrote:
     Date:        Wed, 1 Dec 2010 09:42:17 +0000
     From:        Julio Merino<>

   | Which makes me wonder... why do we even *ask* people to choose a
   | cypher algorithm during install?  Couldn't we, as the developers of
   | the system, make a good choice for our users (and let them change it
   | after installation if they so wish, just as they can with everything
   | else)?  (It just feels stupid that we have a question in sysinst for
   | something as trivial as this but we don't have a way to select, e.g.
   | which services to enable.)

It is (of course) because we really want sysinst to encourage setting a
root password, and we need to know which cipher to use to set that one with,
before it is set.   Nothing sysinst does inhibits in any way enabling
the various services, but setting a root password with the "wrong" cipher
would be annoying.
"Of course".  But really, who cares?  Why would you ever have to think about 
what cypher algorithm to use, *specially* during installation?  And if you want to change 
it at all after install, you should know how to and, therefore, you should know what 
implications that has and how to deal with them.
The simple answer is password file compatibility -- other systems accept the older 
formats.  Over the years, I've seen many instances where someone will say "send me 
your passwd file line".  DES is the most compatible; the Blowfish and md5 methods 
are used by other open source systems; the HMAC-SHA1 scheme was developed for NetBSD and 
doesn't exist elsewhere unless they've picked up our code.
I understand that having the ability to change the cypher algorithm can be handy (I'm not arguing otherwise). But that doesn't mean such a tunable needs to be available during the installation procedure.

Anyway, thanks for the explanation.

Home | Main Index | Thread Index | Old Index