On Thu, Aug 21, 2003 at 12:40:35PM -0400, Joey Hess wrote: > Steve Langasek wrote: > > - It will now be possible to choose md5 vs. crypt passwords at install > > time without violating policy. (Currently, a number of conffiles are > > being modified by maintainer scripts in order to enable md5 > > passwords.) Actually making this process policy-compliant will > > require changes to a number of other packages prior to release. > It's great to finally have this. Have you considered doing something to > ease upgrades of systems whose admins chose to enable md5 passwords via > passwd's debconf questions? > root@dragon:/home/joey>debconf-show passwd |grep md5 > * passwd/md5: true > If that is set then it would probably be a good idea if services > continued to support md5 after the transition. I'm not a pam expert, but > maybe /etc/pam.d/other would be changed to include md5 in this case? Given that all the files involved were conffiles prior to this transition, I think no additional work is needed to correctly support systems that are being upgraded. Can you confirm whether /etc/pam.d/other already contains 'md5' on the machine above? If not, I'll add that to the top of the TODO list. A decision still needs to be made about which package should be asking the question, I think. Policy would normally require that libpam-runtime is the only package editing any of these files; and indeed, since the passwd package is not essential, it is conceivable to have a system with libpam-runtime installed but not passwd, and the question would still be relevant for other services that allow password changes. Are there problems with using debconf from a package that's in the dependency chain of login (an essential package)? If so, this would also pose a problem with trying to poll debconf values to fix /etc/pam.d/other on upgrade. -- Steve Langasek postmodern programmer
Attachment:
pgpz3cQ1Tkb2k.pgp
Description: PGP signature