Re: [chrony-dev] Support for another crypto hash? |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Thu, Nov 03, 2011 at 03:19:03PM +0000, Ed W wrote:
> On 02/11/2011 13:45, Miroslav Lichvar wrote:
> > Would support for reading hex passwords be useful? Any suggestions on
> > how to extend the format?
>
> This isn't entirely thought through, but the unix crypt function defined
> an "extensible" hash format, where the hash itself has a {type} prefix
> to it. I believe the point is that the { is not a normal character for
> the hash storage format (base64? didn't check before writing this)
I couldn't find a specification for the extended format.
Currently the password is a string of non-whitespace chars (as read by
sscanf()), so braces would be read as part of the password. Perhaps it
would be easier to always read it as hex or base64 if a hash name was
specified, i.e. use ASCII passwords only for the old format to stay
compatible?
> - This storage format is not space efficient
How many keys do you typically have in chrony.keys?
> - The unix crypt functions are extended in recent glibc (and I posted a
> uclibc patch recently) to include multiple iterated algorithms with a
> view to making bruteforce more difficult. This is something worth
> picking up on now that GPUs compute hashes at >100million per second...
> Salt doesn't help you against that, so long, complex passwords are
> necessary if you need resistance to bruteforcing password hashes...
> (multiple iteration algorithms partially mitigate this)
I'm not sure I understand how this works. The same hash function is
used multiple times on the same data?
> - It would be nice if the password were not stored in the clear on the
> ntp box. However, with the exception of public key crypto, this is at
> odds with secure password exchange on the wire...
If the keyfile was encrypted, the key to that file would still have to
be somewhere in cleartext, or how would be chronyd started?
--
Miroslav Lichvar
---
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.