Re: Which password cipher ?

To: Steven Bellovin <smb%cs.columbia.edu@localhost>
Subject: Re: Which password cipher ?
From: Julio Merino <jmmv84%gmail.com@localhost>
Date: Wed, 01 Dec 2010 13:07:55 +0000

On 12/1/10 11:49 AM, Steven Bellovin wrote:

On Dec 1, 2010, at 6:14 05AM, Julio Merino wrote:

On 12/1/10 10:59 AM, Robert Elz wrote:

     Date:        Wed, 1 Dec 2010 09:42:17 +0000
     From:        Julio Merino<jmmv%NetBSD.org@localhost>

Message-ID:<AANLkTimY1WcUrXgdObPZzi_jv2ysKV+9esJ46s5CXn=e%mail.gmail.com@localhost>

   | Which makes me wonder... why do we even *ask* people to choose a
   | cypher algorithm during install?  Couldn't we, as the developers of
   | the system, make a good choice for our users (and let them change it
   | after installation if they so wish, just as they can with everything
   | else)?  (It just feels stupid that we have a question in sysinst for
   | something as trivial as this but we don't have a way to select, e.g.
   | which services to enable.)

It is (of course) because we really want sysinst to encourage setting a
root password, and we need to know which cipher to use to set that one with,
before it is set.   Nothing sysinst does inhibits in any way enabling
the various services, but setting a root password with the "wrong" cipher
would be annoying.

"Of course".  But really, who cares?  Why would you ever have to think about 
what cypher algorithm to use, *specially* during installation?  And if you want to change 
it at all after install, you should know how to and, therefore, you should know what 
implications that has and how to deal with them.

The simple answer is password file compatibility -- other systems accept the older 
formats.  Over the years, I've seen many instances where someone will say "send me 
your passwd file line".  DES is the most compatible; the Blowfish and md5 methods 
are used by other open source systems; the HMAC-SHA1 scheme was developed for NetBSD and 
doesn't exist elsewhere unless they've picked up our code.

I understand that having the ability to change the cypher algorithm canbe handy (I'm not arguing otherwise). But that doesn't mean such atunable needs to be available during the installation procedure.


Anyway, thanks for the explanation.

Follow-Ups:
- Re: Which password cipher ?
  - From: David Laight
- Re: Which password cipher ?
  - From: Pouya D. Tafti

References:
- Re: Which password cipher ?
  - From: Julio Merino
- Which password cipher ?
  - From: Joel Carnat
- Re: Which password cipher ?
  - From: Robert Elz
- Re: Which password cipher ?
  - From: Julio Merino
- Re: Which password cipher ?
  - From: Steven Bellovin

Prev by Date: Re: BCM5809S support in bnx(4) and brgphy(4)
Next by Date: pulling up BIND 9.7 to netbsd-5?
Previous by Thread: Re: Which password cipher ?
Next by Thread: Re: Which password cipher ?
Indexes:

Home | Main Index | Thread Index | Old Index