On Tue, Nov 21, 2000 at 03:31:12PM -0800, David O'Brien wrote:
> When Kris and I discussed this functionality (before Brian went and did
> it); we talked about much higher granularity than Brian implemented:
>
> MD5 everywhere
> DES everywhere
> MD5 locally / DES yp
> Convert to MD5
> Convert to DES
Only these last two are candidates for PAM. PAM (specifically
pam_unix) doesn't and shouldn't care what crypt() does and what the
algorithm it chooses to use is called, it just treats the strings as
opaque data which are compared to the master.passwd records.
The latter two in your list could be implemented by a "recrypt"
function in a pam "password" module, which a) verifies the presented
password, and b) generates a new password hash with the same
plaintext, which is written out.
This would have the effect that the new password would be whichever
format is the current passwd_format for that user's login class, so
you can transparently migrate users from one algorithm to another
without having to expire passwords or mess with them by hand. You
likely wouldn't want this to happen every time a user logs in, so
there'd have to be some other condition which triggers it for a given
account.
Kris
PGP signature
