Subject: Re: /etc/passwd.conf
To: None <itojun@iijlab.net>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 08/06/2003 00:27:41
On Wed, 6 Aug 2003 itojun@iijlab.net wrote:

: >Why change in the passwd.conf instead of in src/lib/libutil/passwd.c?
:
: 	hmm i see, then i should have proposed "change the default choice on
: 	src/lib/libutil/passwd.c to blowfish,7".

Eek.  Certainly not!

I know salted-DES is bad and trivially crackable.  But it Works in
heterogeneous environments where the rest of the system is reasonably
secured, so it is still an excellent interoperability default.

Selection of an alternative entry creation algorithm should be made at the
user level, via sysinst (which we've been told can set it to blowfish in
NetBSD-current) or manual editing of passwd.conf.  There's no reason to hack
either of passwd.c or passwd.conf in a raw build.

-- 
-- Todd Vierling <tv@pobox.com>