Changeset 1068

Show
Ignore:
Timestamp:
01/28/07 22:54:07 (2 years ago)
Author:
tushar
Message:

Updated Hint: blowfish-passwords

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/blowfish-passwords.txt

    r1004 r1068  
    1 AUTHOR: Robert Connolly <robert@linuxfromscratch.org> (ashes) 
     1AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes) 
    22 
    3 DATE: 2004-11-13 
     3DATE: 2006-12-10 
    44 
    55LICENSE: Public Domain 
     
    1010How to install a blowfish crypt library and use it. 
    1111 
    12 PREREQUISITES: Sed v4+ (for the -i option) 
     12PREREQUISITES: None 
    1313 
    1414HINT: 
    15 This hint shows how to disable the installation of libcrypt, either in Glibc 
    16 or uClibc, and then install Libxcrypt to replace it. Libxcrypt includes 
    17 Blowfish, SHA, MD5, DES, and UFC-crypt. Symlinks are made so that applications 
    18 can use libxcrypt without needing patches. 
    19  
    20 If you try to replace libcrypt with libxcrypt on an existing system, it will 
    21 almost certainly break your existing programs. So I suggest installing this 
    22 during an LFS installation. 
    23  
    24 Libxcrypt is maintained by Suse Linux, and is based on the OpenWall patch 
    25 by Solar Designer. You may want to see: 
    26 http://www.openwall.com/crypt/ 
    2715 
    2816A paper on the blowfish algorithm is available here: 
     
    3119DOWNLOAD: 
    3220 
    33 The standalone blowfish library is available here: 
    34  
    35 http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/libxcrypt-2.3.tar.bz2 
    36  
    37 http://www.linuxfromscratch.org/patches/downloads/shadow/\ 
    38         shadow-4.0.13-blowfish-1.patch 
    39  
    40 If you have trouble downloading this package, I put a copy here: 
    41 http://www.linuxfromscratch.org/~robert/blowfish/ 
     21http://ca.lfs-matrix.net/patches/downloads/glibc/glibc-2.5-blowfish.patch 
     22http://ca.lfs-matrix.net/patches/downloads/shadow/\ 
     23        shadow-4.0.18.1-owl_blowfish-1.patch 
     24http://ca.lfs-matrix.net/patches/downloads/sysvinit/\ 
     25        sysvinit-2.86-owl_blowfish.patch 
    4226 
    4327INSTALLATION: 
    4428 
    45 # - Disable the building and installation of libcrypt. 
     29# With Glibc chapter 6: 
    4630 
    47 # When installing uClibc, run this: 
     31patch -Np1 -i ../glibc-2.5-blowfish.patch 
    4832 
    49 sed -e '/libcrypt shared/d' -i Makefile && 
    50 sed -e 's/libcrypt //' -i Makefile 
     33# With Shadow chapter 6: 
    5134 
    52 # When installing Glibc, run this before changing to the build directory: 
     35patch -Np1 -i ../shadow-4.0.18.1-owl_blowfish-1.patch && 
     36aclocal && 
     37autoconf && 
     38autoheader 
    5339 
    54 sed -e 's/crypt//g' -i Makeconfig 
     40# This patch for Shadow must be regenerated with autotools so that this 
     41# patch can be used by many versions of Shadow. As long as the patch applies 
     42# without error then it should work on whichever version of Shadow you are 
     43# using. 
    5544 
    56 # - After GCC pass 2 is installed, build and install Libxcrypt. 
     45# This patch will instruct blowfish to use /dev/random for entropy. If you 
     46# want to use /dev/urandom or something else then use the --with-random= 
     47# configure option. 
    5748 
    58 # Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does 
    59 # not get installed by uClibc. Packages, like libxcrypt, should use their own 
    60 # copy of libc-lock.h, but not all do. So, if you are using uClibc you will 
    61 # need to unpack your uClibc (and libxcrypt) source and do: 
     49# The Sed command for MD5_CRYPT_ENAB, on the Shadow page, won't make any 
     50# difference. If you get an error from 'make install' because of funny 
     51# business from Autoconf, then use: 
    6252 
    63 mkdir libxcrypt-2.3/src/bits/ && 
    64 cp uClibc-0.9.28/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \ 
    65         libxcrypt-2.3/src/bits/libc-lock.h 
     53make MKINSTALLDIRS=$(pwd)/mkinstalldirs install 
    6654 
    67 # And for uClibc also do this: 
     55# Shadow will still be able to use MD5 and DES passwords if you add them to 
     56# /etc/shadow manually, or if you reset "CRYPT_PREFIX" to "$1$" in 
     57# /etc/login.defs. 
    6858 
    69 sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.3/src/md5-crypt.c 
     59# After running 'passwd' you should find your passwords in /etc/shadow 
     60# begin with "$2a$". 
    7061 
    71 # Then build Libxcrypt (chapter 5). 
     62# With Sysvinit chapter 6: 
    7263 
    73 cd libxcrypt-2.3 && 
    74 ./configure --prefix=/tools && 
    75 make && 
    76 make install && 
    77 ln -sf libxcrypt.so /tools/lib/libcrypt.so && 
    78 ln -sf libxcrypt.a /tools/lib/libcrypt.a && 
    79 rm -f /tools/include/crypt.h && 
    80 ln -sf xcrypt.h /tools/include/crypt.h 
    81  
    82 # In Chapter 6 of the LFS/HLFS book, repeat the above commands for uClibc, or 
    83 # Glibc, to disable the installation of libcrypt. Then after re-adjusting the 
    84 # toolchain, install Libxcrypt (HLFS users add --disable-static): 
    85  
    86 # uClibc users, redo the copying of libc-lock.h and the sed command for 
    87 # stpncpy(). 
    88  
    89 cd libxcrypt-2.3 && 
    90 ./configure --prefix=/usr --libdir=/lib && 
    91 make && 
    92 make install && 
    93 ln -sf libxcrypt.so /lib/libcrypt.so && 
    94 ln -sf ../../lib/libcrypt.so /usr/lib/libcrypt.so && 
    95 ln -sf ../../lib/libxcrypt.so /usr/lib/libxcrypt.so && 
    96 rm -f /usr/include/crypt.h && 
    97 ln -sf xcrypt.h /usr/include/crypt.h && 
    98 mv /lib/libxcrypt.*a /usr/lib 
    99  
    100 # Move the static library to /usr, and make a symlink for it (not with HLFS): 
    101  
    102 ln -sf libxcrypt.a /usr/lib/libcrypt.a 
    103  
    104 # Later, build Shadow-utils: 
    105  
    106 patch -Np1 -i ../shadow-4.0.13-blowfish-1.patch  
    107  
    108 # I made this patch use /dev/random for entropy, when making new passwords. 
    109 # This means that changing passwords may take a long time if you run out of 
    110 # entropy (/dev/random is a blocking device). If this is a problem for you 
    111 # then run: 
    112 # sed -e 's@/dev/random@/dev/urandom@g' -i libmisc/salt.c 
    113  
    114 # Also see the entropy.txt hint, to find out how to increase your entropy. 
    115  
    116 # When installing Shadow-utils, run this command instead of the one in the 
    117 # LFS/HLFS book (so we don't configure for MD5): 
    118  
    119 sed -e 's@/var/spool/mail@/var/mail@' \ 
    120     etc/login.defs > etc/login.defs.new && 
    121 install -m644 etc/login.defs.new /etc/login.defs 
     64patch -Np1 -i ../sysvinit-2.86-owl_blowfish.patch 
    12265 
    12366# OpenSSH can be installed normally, and using "--with-md5-passwords" is 
     
    14386  * Bump to libxcrypt-2.3. 
    14487  * Don't install libcrypt from libc, and install libxcrypt instead. 
     88[2005-12-10] 
     89  * Use Owl Blowfish for Glibc because libxcrypt conflicts with OpenSSH. 
     90  * Added new Shadow and Sysvinit patches.