[Pkg-shadow-devel] redhat patches
Peter Vrabec
pvrabec at redhat.com
Thu Nov 15 14:02:12 UTC 2007
On Thursday 15 November 2007 01:15:58 am Nicolas François wrote:
> Hi,
>
> Just a quick answer. I will try to have a deeper look this week-end.
>
> On Wed, Nov 14, 2007 at 05:56:29PM +0100, Peter Vrabec wrote:
> > these is one important patch that we need to push to upstream. It enable
> > shadow-utils to use new glibc code for different password hashes. It
> > would be nice start using it as soon as possible.
> >
> > Take a look at:
> > http://people.redhat.com/drepper/sha-crypt.html
>
> I knew there were some plans, I did not imagine they were so concrete!
>
> I had a look at Ulrich paper and specification. Not much comments. Sounds
> good.
> * blowfish could be nice for people not only interested by the NIST
> argument. But this is glibc stuff.
> * "The maximum salt string length is raised to 16. Not really because 8
> bytes [...] is not enough. More because varying sizes of the salt
> string adds additional entropy when the attacker does not know the salt
> string." (http://people.redhat.com/drepper/sha-crypt.html)
> I don't think that is true. IMO, the varying size adds less than one
> bit of entropy. So moving from 8 to 16 adds much more entropy.
> I don't think that is important though, I don't think having a fixed
> size entropy is interesting neither and having a minimum of 8 bytes
> is quite good.
good for me, too :-)
> Just some questions regarding the shadow patch:
> 1 Does PAM supports these password schemes (for password creation and
> authentication)?
in next upstream release.
> I guess there is not much to do since everything is done in crypt().
> But the pam_unix module may need a sha256/sha512 option (and maybe a
> count option).
> 2 How does your patch behaves with an old libc?
> The configure script will need an option and maybe a detection script.
you are right, we need to check glibc in configure.
> 3 Are all the buffers which contain encrypted passwords long enough?
They supposed to be alright.
> 4 Is there a need for a count option, set by the admin depending on the
> server CPU resources and needed password strength.
> 5 Is the algorithm stable enough to avoid the rounds= parameter?
> (i.e. the default # of rounds is currently 5000. If it is not
> specified in the password, and if the libc changes the default number
> of rounds used by crypt, that would mean a lock of users accounts)
> It could be safer to always specify the number of counts.
I'll ask Ulrich about this. But I hope it's not needed to use rounds=
parameter.
> 6 chpasswd and chgpasswd will need some new options.
true.
> I don't think any of these should delay the inclusion of the patch (but
> 2, 3, and 5 should be clarified before the 4.0.19 release).
>
> Thanks for the patch.
>
> > > Here are some comments on the RedHat patches (based on
> > > shadow-utils-4.0.18.1-13.fc7.src.rpm):
> > > * shadow-4.0.11.1-vipw.patch
> > > Is it still needed?
> > > What are /etc/ptmp and /tmp/gtmp?
> > > Are they standard lock files used by other common/recent software?
> >
> > I found that it fix #6489
> >
> > "It is possibile to add an user with useradd while someone
> > else is editing the passwd file with vipw. vipw does acquire
> > some lock, preventing multiple istances of itself from
> > running at the same time, but useradd probably uses a
> > different locking scheme. I understand the two executable
> > belongs to different packages (shadow-utils-19990827-2 and
> > util-linux-2.9w-24) but i think they should interact
> > correctly."
>
> I will check more recent version of util-linux.
>
> On Red Hat systems, does vipw/vigr (still) come from util-linux?
>
> Wouldn't it be better to check the presence of these util-linux lock files
> in pw_lock & gr_lock?
I talked to util-linux upstream/maintainer (one person). We will stop using
vipw from util-linux and start using one in shadow-utils. Therefore this
patch isn't important anymore.
> Are there other lock files for the shadowed databases (/etc/shadow &
> gshadow)?
>
> > > * shadow-4.0.16-nscd.c
> > > Why is the current nscd_flush_cache implementation not sufficient?
> >
> > That was a long story :-)
> > https://bugzilla.redhat.com/show_bug.cgi?id=191464
> > comment #
> > Ulrich Drepper:
> > "Nobody is allowed to use that socket outside of glibc. The
> > protocol is private. That's the whole reason for the problem."
> >
> > I'll appreciate if you commit it.
>
> OK. I will just check if there are no new glibc function to flush the nscd
> tables since 2006-06-04.
thnx.
>
> I need also to see whether the patch works when nscd is not present (at
> least it is the case on Debian by default).
> I would prefer this case to be handled with no warnings/errors.
ok
> > > * shadow-4.0.17-notInheritFd.patch
> > > Only useful when shadow-4.0.16-nscd.c is used?
> > > Upstream implementation does not execve, but uses a socket.
> >
> > right
>
> Will be committed with shadow-4.0.16-nscd.c
>
>
>
> PS: Mike, I'm also committing gentoo patches;)
>
> Best Regards,
More information about the Pkg-shadow-devel
mailing list