> I just found out that ypcipher=old is no longer supported in login.conf.
That is correct. We have deprecated and removed the legacy ciphers. Passing such simple hashes over ethernet in 2015 is not best practice. > Since I have a mixed platform lab network using YP (FreeBSD servers) I am > curious if anyone has some experience of how portable blowfish is as a > cipher for YP passwords. Don't know if they are compatible. Blowfish itself has had a few generations. There was the original in 2001 or so, soon followed by a fix in 2002(?). Then a few years ago a Linux version of blowfish was found to have a bug in rare configurations, but to keep everyone safe we all adopted some small changes and made a newer version -- $2b$ > FreeBSD man pages say that they support it. I also have lots of old and new > linux clients and just a few OpenBSD clients in the network. Linux as usual > shines being badly documented so I can not find out if any of those support > blowfish. Therefore I ask this list if anyone knows about this? > > Are there more password ciphers planned for the future e.g sha256 and sha512? No, we will not be adding those. Those simple hashes do not provide the future-proof, high-cost-to-crack features of bcrypt, which has made it successful as industry staple. The dumb hashes even arrived years after bcrypt, seems likely the result of choosing ideas "not invented by openbsd" > Do you have any other tips on how to handle logins in a mixed OS YP network? These days, I would recommend using YP in fewer places. I wrote the code, but even I don't use it. Each time I make changes that need testing in a YP environment, my test group has shrunk again...
