[Pkg-shadow-devel] Blowfish vs MD5 as default cipher
Nicolas François
nicolas.francois at centraliens.net
Mon May 26 22:32:27 UTC 2008
On Mon, May 26, 2008 at 03:54:07PM -0500, karl at xtronics.com wrote:
> This article :
> http://blogs.techrepublic.com.com/security/?p=377
>
> Describes how to switch to blowfish for added security. What I'm thinking is that if this is a true
> description of the current situation, shouldn't blowfish be the default setup?
blowfish is mostly available on BSD.
(although libpam-unix2 supports it).
Currently shadow does not support blowfish, but since recently, the SHA
password encryption algorithm is supported by the GNU libc, and support
for this password encryption algorithm was added to shadow.
With shadow or with Linux-PAM, SHA256 and SHA512 seems to be good
replacement.
If shadow is compiled with PAM support, and if it is configured to use
blowfish, then passwd should use it to generate blowfish passwords.
But newusers, chpasswd, chgpasswd, and gpasswd will still rely on the
algorithm defined in /etc/login.defs.
Adding support for blowfish should be possible in shadow using the
xcrypt library. However, I don't know if there would be users for this
algorithm.
I'm not a cryptographer, and I'm not able to compare these algorithms.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list