On 01/20/2012 04:32 AM, Kevin Chadwick wrote:
I know arch tries to keep to upstream but their seems some discrepencies that you may or may not be aware of so thought I'd share.
The crypt man page says glibc may not support blowfish (stronger than nists recommendation) and that seems true when used via the commandline (very short output).
The arch wiki says you can use a library from AUR.
There is also a sha512 arch wiki which says you should edit pamd.d/passwd from md5 to sha512 but the default seems to already be sha512, maybe it tries both as some distros default is now sha512 so no need anymore.
It seems if you simply edit /etc/default/passwd to blowfish and reset your password, sha512 is used e.g. encrypted password beginning with $6 in /etc/shadow not $2 (blowfish) and logins work fine. Wouldn't that be because you did not setup blowfish properly? You cant just change passwd only to get blowfish going, according to the wiki. (Not speaking from experience)
I guess the /etc/default/passwd config file may be futurised or the config written before changing to SHA which was easier to implement and the wiki is out of date with the code??
Not sure if I am getting what you mean here but to me sounds like you did not complete what is in the wiki in regards to running blowfish, since you need AUR package and what not and it says there is more to do than change a single file to make blowfish the algo. I was wondering when you change these settings how do you change the hash of other system users, or is that pointless and not needed? I always wondered about that. Such as user ftp or similar.