Bug#117707: [Pkg-shadow-devel] Bug#117707: md5 passwd considered harmless

Martin Quinson Martin Quinson <martin.quinson@loria.fr>, 117707@bugs.debian.org
Mon, 9 May 2005 12:22:09 +0200 

--/Zw+/jwnNHcBRYYu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I just found #93156 (md5 default (was Re: Security trough paranoia)).

It was closed by Karl Ramm (kcr@debian.org) on Aug 22 2003 with the message:
| md5 passwords are now the default in the passwd package, so this is done;=
 I
| should've noticed this and closed it in the changelog.

So, this is another argument of doing the change in the template so that md5
passwd actually get the default setting :)


Argh! Argh! triple argh! The passwd.config reads:
#       db_get passwd/md5
#       if [ "$RET" =3D true ]; then
                USE_MD5=3D1
#       else
#               USE_MD5=3D''
#       fi
and another commented occurence of db_get passwd/md5.
				=09
This seems to be related to this changelog entry:
 shadow (1:4.0.3-19) unstable; urgency=3Dlow

  * "No really, assume md5 passwords". Closes: #223664

So, this template is not used anyway! Sigh. Should we drop the debconf
template or try to re-enable this (for example with low priority, and "true"
as default)? I tend for the second case.

Opinions? Mt.

On Mon, May 09, 2005 at 10:26:34AM +0200, Martin Quinson wrote:
> package passwd
> retitle 117707 [MARTIN] md5 passwd should be enabled by default
> thanks
>=20
> Hello,
>=20
> back in 2001, the bug submitter asked for the default settings of md5 and
> shadow on passwd to be set to "true". It looks like that the defaults are
> always the following:
>   md5->false
>   passwd->true
>=20
> Back in these days, it was said that the first setting was set that was f=
or
> compatibility with old systems. Rumor about parts of debian not working w=
ith
> md5 passwords also occur from time to time.
>=20
>=20
> My opinion is to change md5 to true. The template reads:
>  Md5 passwords are more secure and allow for passwords longer than 8
>  characters to be used. However, they can cause compatibility problems if
>  you are using NIS or sharing password files with older systems.
> so I think we don't even have to change this, it's already clear enough.
>=20
> If it breaks some other package, it's more than time to update the given
> package! Of course, I don't advice doing so for sarge, but for etch >:-)
>=20
>=20
> May I proceed or do someone speak against it?
> Mt.



--/Zw+/jwnNHcBRYYu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCfznQIiC/MeFF8zQRAjEQAJwNg6+MASonmKK8chuMDoFgYrdFowCgyLkG
+ZoynQRRX3B6eHmRroXTfcQ=
=w78d
-----END PGP SIGNATURE-----

--/Zw+/jwnNHcBRYYu--