Hey, I just discovered that MD5 passwords sure don't seem to be the default (I'm looking at a 7.3 box), I thought they were :-(. The docs in /usr/share/doc/packages/md5sum aren't terribly verbose... what do most people do to convert to md5sum, move the old /etc/pam.d files to .old and copy the ones from /usr/share/doc/packages/pam/md5.config/ and reset all passwords? Or is there more to it then that? I didn't see any other documentation in the SuSE manuals or on suse.com Thanks. -- ------------------------------------------------- Jonathan Wilson System Administrator Central Texas IT Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
CM >* JW (jw@centraltexasit.com) [020313 15:33]: CM >> The docs in /usr/share/doc/packages/md5sum aren't terribly verbose. CM > CM >You want /usr/share/doc/packages/pam/README.md5 Yeah that's exactly what I meant, sorry - I typed that path by hand and typed "md5sum" instead of "pam". Well ok... thanks.... -- ------------------------------------------------- Jonathan Wilson System Administrator Central Texas IT Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
CM >* JW (jw@centraltexasit.com) [020313 15:33]: CM >> The docs in /usr/share/doc/packages/md5sum aren't terribly verbose. CM > CM >You want /usr/share/doc/packages/pam/README.md5
Yeah that's exactly what I meant, sorry - I typed that path by hand and typed "md5sum" instead of "pam".
Well ok... thanks....
Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is
quite simple: Interoperability. It breaks if you have nis or with other
unixes.
Roman.
--
- -
| Roman Drahtmüller
Roman Drahtmueller wrote:
Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is quite simple: Interoperability. It breaks if you have nis or with other unixes.
Could you expand on this? What does it break with NIS? I have md5 enabled in my /etc/pam.d/passwd and I'm also using NIS, but my NIS passwd map isn't at /etc/passwd ... What does md5 break with NIS? Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.
Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is quite simple: Interoperability. It breaks if you have nis or with other unixes.
Could you expand on this? What does it break with NIS? I have md5 enabled in my /etc/pam.d/passwd and I'm also using NIS, but my NIS passwd map isn't at /etc/passwd ...
What does md5 break with NIS?
I didn't say that - you should simply try it out. The crypted password string begins with $1$ if it's an md5 string, and $2a$ if it's blowfish. If you use these Linux goodies together with Suns, HPs, SGIs or something else, it won't work.
Thanks, Richard
Grüße,
Roman.
--
- -
| Roman Drahtmüller
Richard Ems wrote:
Roman Drahtmueller wrote:
Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is quite simple: Interoperability. It breaks if you have nis or with other unixes.
Could you expand on this? What does it break with NIS? I have md5 enabled in my /etc/pam.d/passwd and I'm also using NIS, but my NIS passwd map isn't at /etc/passwd ...
What does md5 break with NIS?
i think he's talking about the 'problem' that nis uses still cryted passwords. You can login with md5 passwords fine, but not change them. If you do so, the NIS will be broken. With PAM you can support md5 on your local box just fine. But some old ftpd's or pop3d's etc. cannot deal with pam or md5 at all. So if you make it to the default some deamons and services will not run anymore. If you do so, you have to check all the tools and maybe recompile them etc. If you take a look at SuSE you'll see that it's a big 'repository' of software. They cannot track all software from release to release etc. The important things are the basics, they must work. Look at ghostscript: it's avaiable as 6.x but suse still ships 5.5. afaik.. 5.5. works fine, 6.x have a more effektiv memory management, but you've many things depending on ghostscript... so all must checked etc. and thats the 'problem' for a distributor like SuSE. You're able to enable md5 yourself, maybe it's an option for suse to add a question to yast(1|2) at installation time (maybe only for expert modus) that asks you to enable md5 passwords and give's you a hint where problems can occour. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
SM >Richard Ems wrote: SM >> SM >> Roman Drahtmueller wrote: SM >> SM >> > Btw, talking defaults: Even in 8.0, md5 is not the default. The reason SM >You're able to enable md5 yourself, maybe it's an option SM >for suse to add a question to yast(1|2) at installation time SM >(maybe only for expert modus) that asks you to enable SM >md5 passwords and give's you a hint where problems can SM >occour. Yes, PLEASE - something in YaST (installer) is exactly what I had in mind - an after-the-fact converter might be nice too, with a warning that exists passwords must be reset for changes to take effect. RedHat has a "use md5 passwords" option in it's setup (6.2 did at least), SuSE should too. -- ------------------------------------------------- Jonathan Wilson System Administrator Central Texas IT Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
JW wrote:
SM >Richard Ems wrote: SM >> SM >> Roman Drahtmueller wrote: SM >> SM >> > Btw, talking defaults: Even in 8.0, md5 is not the default. The reason
SM >You're able to enable md5 yourself, maybe it's an option SM >for suse to add a question to yast(1|2) at installation time SM >(maybe only for expert modus) that asks you to enable SM >md5 passwords and give's you a hint where problems can SM >occour.
Yes, PLEASE - something in YaST (installer) is exactly what I had in mind - an after-the-fact converter might be nice too, with a warning that exists passwords must be reset for changes to take effect.
readme said that afaik. and you just need to copy the pam files into your /etc/pam.d. But okay, would be nicer to have a 'tool'.
RedHat has a "use md5 passwords" option in it's setup (6.2 did at least), SuSE should too.
ACK, like i said, but with the warning that some things can't work with that correctly (afaik debian has such a warning ...) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
RedHat has a "use md5 passwords" option in it's setup (6.2 did at least), SuSE should too.
ACK, like i said, but with the warning that some things can't work with that correctly (afaik debian has such a warning ...)
SuSE has such a switch in yast2.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (5)
-
Christopher Mahmood
-
JW
-
Richard Ems
-
Roman Drahtmueller
-
Sven Michels