On Wed, Aug 06, 2003 at 12:27:41AM -0400, Todd Vierling wrote:
> On Wed, 6 Aug 2003 itojun@iijlab.net wrote:
> 
> : 	hmm i see, then i should have proposed "change the default choice on
> : 	src/lib/libutil/passwd.c to blowfish,7".
> 
> Eek.  Certainly not!
> 
> I know salted-DES is bad and trivially crackable.  But it Works in
> heterogeneous environments where the rest of the system is reasonably
> secured, so it is still an excellent interoperability default.

Are you saying that "heterogeneous environments where the rest of
the system is reasonably secured" are the common case for users?
I think not.

I think we should have the best possible secure default, and allow
system admins (who are clueful enough to run "heterogeneous
environments where the rest of the system is reasonably secured")
to override in passwd.conf if they need to.

(That doesn't necessarily argue where the overridden default comes
from.)

Remember, again, that the default changes the format for newly-set
passwords only, existing user password hashes are determined from
examination. So, changing the default doesn't break anyone's
passwords, and users who change their passwords get the new format.

> Selection of an alternative entry creation algorithm should be made at the
> user level, via sysinst (which we've been told can set it to blowfish in
> NetBSD-current) or manual editing of passwd.conf.  There's no reason to hack
> either of passwd.c or passwd.conf in a raw build.

One or the other should be set to something better than des, by
something other than sysinst - there are a large number of existing
systems out there, and a number of people who don't use sysinst to
install.

If I accept all the defaults in sysinst, I should get the same
system options as if I had not used sysinst. Ideally, the default
represented in a vanilla passwd.conf should represent the default
used by the library if no passwd.conf is present. 

--
Dan.