Comment 12 for bug 287134

On Wed Sep 02 17:56:58 UTC 2009 Milan Bouchet-Valat wrote:
> I don't really understand how it's working currently. Is Ubuntu using
> SHA? If so, is liboobs writing MD5 passwords to /etc/shadow?

That's what the patch in this bug does. Kees implemented a better
solution for us which gave us encryption of the same strength as
default.

Writing MD5 is better than 3DES, but should still be avoided.

> We should at least support SHA as well as MD5. I plan to make a release
> before Karmic so that a few bugfixes go into it. Do you think you could
> improve the patch before that?

Well, the patch is fine as far as it goes. The main thing to add would
be SHA support.

I would like to see the default be for the strongest that stb knows
about, so that when the switch is made next time the unkown scheme
translates to SHA512 being used, rather than 3DES again.

> Using PAM is of course much cleaner and logical, but we need to find a
> way to send the clear password to the backends, and that won't be done
> before Karmic. An intermediate fix would be Kees's patch [1] to use
> chpasswd, but upstreaming it is difficult since we have to be sure
> chpasswd is present, or use the stb for that. So maybe it would be worth
> fixing the problem once for all using PAM, instead of spending time on
> temporary fixes.

I think that would be good, but as you say it's not straightforward.

Creating the pipe and passing the password over isn't too much work. I
think it will require changing the D-Bus interface though.

Thanks,

James