Re: Feature Proposal: Transparent upgrade of crypt() algorithms

From: Xin Li <delphij_at_delphij.net>
Date: Fri, 07 Mar 2014 14:06:43 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

On 03/07/14 13:52, A.J. Kehoe IV (Nanoman) wrote:
> Allan Jude wrote:
>> On 2014-03-07 11:13, A.J. Kehoe IV (Nanoman) wrote:
>>> Allan Jude wrote:
>>> 
>>> [...]
>>> 
>>>> Honestly, my use case is just silently upgrading the strength
>>>> of the hashing algorithm (when combined with my other feature
>>>> request). Updating my bcrypt hashes from $2a$04$ to $2b$12$
>>>> or something. Same applies for the default sha512, maybe I
>>>> want to update to rounds=15000
>>> 
>>> Like this?
>>> 
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=182518
>>> 
>>> Request for comments:
>>> 
>>> http://docs.freebsd.org/cgi/mid.cgi?20140106205156.GD4903
>>> 
>> 
>> This looks like what we wanted. In the feedback you talked about
>> some changes to your patch required to make it work, is there any
>> progress on those?
> 
> Derek's patches worked perfectly for our needs, but we're the sort
> of people who use vipw and our own utilities for user management.
> It wasn't until later that we discovered at least one other file
> would need patching to satisfy everyone.  We didn't want to employ
> the same copy-pasta method, so we asked for feedback about our
> proposed alternative.
> 
> secteam_at_, do you have any comments?  Before we put any more work
> into this, we want to be sure that our proposal is an acceptable
> one.
> 

Did you mean adding rounds capability, or transparent upgrade of
crypt() algorithms, or both?

I need some time to digest the whole transparent upgrade idea but in
general I think it's good.

Speaking for adding rounds, the only problem that needs to be fixed is
that the proposed patch makes it possible to create conflicting
configuration (passwd_format and passwd_modular can use different
hashing algorithms) and need to be fixed and polished.  I like the
idea of making it possible to use more rounds though.

Cheers,
- -- 
Xin LI <delphij_at_delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTGkLzAAoJEJW2GBstM+nsaVoP/017iARGzd++lCsfqyFDozGk
nXJjatlrIcRjrbCmVRT0lsHiK/hoYJ4zZPeOu8EXU1Qs0/wggGHYePX7+zEVob2S
YCxhqUOdG/jqrHnH8bljzWE/OtI7Y4PvFOLpsWkOE/uulssQfGDMSy8WJzFriqzv
GXjAEyFrGXCT29gW6ozTRfDfPSOfd4MhwewbMYAUykSqucMfkG4FaDAgLxv/XdRi
YmLQZuxxTzEqMYanZGq/0e5CvOwOuncd0aVxncJC8ZRcsHs5cqbzcyDkkRwvw/YU
g1OsLXiO08zej0rOz1E4pud8O6q3unG5dNcz9Y96oNo0fJONMrk9IetCUCHBsR8N
eyWJQyHL7wwwNlC5k8U9cOnsL3zxBv54N6bfWuWNNDpJmNrvgMr9LdPso+AX0gLD
y4RhVJeLCQbLrkQawoM1+Ki5N0mQibk9BBGXH/ZPScP1pNqVt9tqXp94N5ZPLV54
Uu4cn/2uKjtTjl76YFlCTvfwwiuWgds1k6CnKZIW8luOp4cG5XOoOSztONqWr6S/
yd7SLDV4f8PC7Fi1iSkSuVW5MYz1I7RRVR1Z27oV3e3UwXwIgqRjHJawNZqIgVe1
4lk84+fm75ULLfiA6bgkMCjylyWHCzrdOQt/Zx+0vyZOer5x2p4gZmnYAyV2EQIP
TM611j1UES6OUGFkfbWa
=4Qur
-----END PGP SIGNATURE-----
Received on Fri Mar 07 2014 - 21:06:45 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:47 UTC