Let's face it: MD5, while it might be more than plain old DES, it is a weak algorithm to encrypt your passwords with. To give you proof, in 2008, researchers demonstrated that MD5 is very weak to collision attacks, and can create false data that appears to be trustworthy. For proof:
http://www.kb.cert.org/vuls/id/836068 And the recommendation: Do not use MD5 for anything. This includes certificates, passwords, and even for verifying files. So, this means that it's time to switch to different algorithms. The only two choices we have right now are Blowfish, and SHA-2 (256 and 512). Since using Blowfish requires modifications to Glibc and Shadow, this means the easiest route to take would be to use SHA-2. What this means for both LFS and BLFS is: * The Shadow instructions need to have the password encryption changed from MD5 to SHA-512 * The PAM configuration files also need MD5 converted to SHA-512 * And all of the MD5 hashes for the packages need to be converted to SHA-256 hashes. The last one would require changes to all of the books in order to work. But belive me, with the flaws that MD5 has, you probably want to ditch it sooner or later. As for which list this belongs on, I belive it belongs on all of the -dev lists, but I'll first send it to the lfs-dev list. -- William Immendorf The ultimate in free computing. Messages in plain text, please, no HTML. GPG key ID: 1697BE98 If it's not signed, it's not from me. -------------- "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
