CM >* JW (jw@centraltexasit.com) [020313 15:33]: CM >> The docs in /usr/share/doc/packages/md5sum aren't terribly verbose. CM > CM >You want /usr/share/doc/packages/pam/README.md5 Yeah that's exactly what I meant, sorry - I typed that path by hand and typed "md5sum" instead of "pam". Well ok... thanks.... -- ------------------------------------------------- Jonathan Wilson System Administrator Central Texas IT Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com

Roman Drahtmueller wrote:

Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is quite simple: Interoperability. It breaks if you have nis or with other unixes.

Could you expand on this? What does it break with NIS? I have md5 enabled in my /etc/pam.d/passwd and I'm also using NIS, but my NIS passwd map isn't at /etc/passwd ... What does md5 break with NIS? Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.

Richard Ems wrote:

Roman Drahtmueller wrote:

...

Btw, talking defaults: Even in 8.0, md5 is not the default. The reason is quite simple: Interoperability. It breaks if you have nis or with other unixes.

Could you expand on this? What does it break with NIS? I have md5 enabled in my /etc/pam.d/passwd and I'm also using NIS, but my NIS passwd map isn't at /etc/passwd ...

What does md5 break with NIS?

i think he's talking about the 'problem' that nis uses still cryted passwords. You can login with md5 passwords fine, but not change them. If you do so, the NIS will be broken. With PAM you can support md5 on your local box just fine. But some old ftpd's or pop3d's etc. cannot deal with pam or md5 at all. So if you make it to the default some deamons and services will not run anymore. If you do so, you have to check all the tools and maybe recompile them etc. If you take a look at SuSE you'll see that it's a big 'repository' of software. They cannot track all software from release to release etc. The important things are the basics, they must work. Look at ghostscript: it's avaiable as 6.x but suse still ships 5.5. afaik.. 5.5. works fine, 6.x have a more effektiv memory management, but you've many things depending on ghostscript... so all must checked etc. and thats the 'problem' for a distributor like SuSE. You're able to enable md5 yourself, maybe it's an option for suse to add a question to yast(1|2) at installation time (maybe only for expert modus) that asks you to enable md5 passwords and give's you a hint where problems can occour. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.

JW wrote:

SM >Richard Ems wrote: SM >> SM >> Roman Drahtmueller wrote: SM >> SM >> > Btw, talking defaults: Even in 8.0, md5 is not the default. The reason

SM >You're able to enable md5 yourself, maybe it's an option SM >for suse to add a question to yast(1|2) at installation time SM >(maybe only for expert modus) that asks you to enable SM >md5 passwords and give's you a hint where problems can SM >occour.

Yes, PLEASE - something in YaST (installer) is exactly what I had in mind - an after-the-fact converter might be nice too, with a warning that exists passwords must be reset for changes to take effect.

readme said that afaik. and you just need to copy the pam files into your /etc/pam.d. But okay, would be nicer to have a 'tool'.

RedHat has a "use md5 passwords" option in it's setup (6.2 did at least), SuSE should too.

ACK, like i said, but with the warning that some things can't work with that correctly (afaik debian has such a warning ...) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.