Re: Security trough paranoia
On Fri, Mar 30, 2001 at 05:03:18PM -0600, Steve Langasek wrote:
...
> Since the use of md5 primarily affects updates made to the local
> password/shadow file, the only scenarios where this even becomes a problem are
> when using NIS, or when distributing copies of the same password/shadow file
> to various machines.
Precisely.
> The first scenario could be detected programmatically
> and addressed; the second doesn't strike me as sufficient justification for
> continuing to inflict pathetically weak password encryption on everyone
> else by default. Those people that really need ancient crypt for their
> passwords can override the default as easily as those of us who want security
> are currently required to do.
>
> Which default is really going to better the Debian community as a whole?
Ok, I'll buy that. Hopefully, (package ?) install script will ask me if I want
md5 passwords and will tell me to run /usr/sbin/md5config if I change my mind
later (the way it is done with shadow).
My main objection is to having defaults that are incompatible with other unices
and linux already has plenty of those.
Dima
--
E-mail dmaziuk at bmrb dot wisc dot edu (@work) or at crosswinds dot net (@home)
http://www.bmrb.wisc.edu/descript/gpgkey.dmaziuk.ascii -- GnuPG 1.0.4 public key
The wombat is a mixture of chalk and clay used for respiration. -- MegaHal
Reply to: