I just found #93156 (md5 default (was Re: Security trough paranoia)). It was closed by Karl Ramm ([EMAIL PROTECTED]) on Aug 22 2003 with the message: | md5 passwords are now the default in the passwd package, so this is done; I | should've noticed this and closed it in the changelog.
So, this is another argument of doing the change in the template so that md5
passwd actually get the default setting :)
Argh! Argh! triple argh! The passwd.config reads:
# db_get passwd/md5
# if [ "$RET" = true ]; then
USE_MD5=1
# else
# USE_MD5=''
# fi
and another commented occurence of db_get passwd/md5.
This seems to be related to this changelog entry:
shadow (1:4.0.3-19) unstable; urgency=low
* "No really, assume md5 passwords". Closes: #223664
So, this template is not used anyway! Sigh. Should we drop the debconf
template or try to re-enable this (for example with low priority, and "true"
as default)? I tend for the second case.
Opinions? Mt.
On Mon, May 09, 2005 at 10:26:34AM +0200, Martin Quinson wrote:
> package passwd
> retitle 117707 [MARTIN] md5 passwd should be enabled by default
> thanks
>
> Hello,
>
> back in 2001, the bug submitter asked for the default settings of md5 and
> shadow on passwd to be set to "true". It looks like that the defaults are
> always the following:
> md5->false
> passwd->true
>
> Back in these days, it was said that the first setting was set that was for
> compatibility with old systems. Rumor about parts of debian not working with
> md5 passwords also occur from time to time.
>
>
> My opinion is to change md5 to true. The template reads:
> Md5 passwords are more secure and allow for passwords longer than 8
> characters to be used. However, they can cause compatibility problems if
> you are using NIS or sharing password files with older systems.
> so I think we don't even have to change this, it's already clear enough.
>
> If it breaks some other package, it's more than time to update the given
> package! Of course, I don't advice doing so for sarge, but for etch >:-)
>
>
> May I proceed or do someone speak against it?
> Mt.
signature.asc
Description: Digital signature
