Subject: s/key (cont.)
To: None <tech-net@netbsd.org, tech-userlevel@netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 01/30/2000 19:49:47
  by redmail.netbsd.org with SMTP; 31 Jan 2000 00:50:38 -0000
	by noc.untraceable.net (8.10.0.Beta12/8.10.0.Beta12/bonk!) id e0V0obv23116
	for tech-security@netbsd.org; Sun, 30 Jan 2000 19:50:37 -0500 (EST)
Date: Sun, 30 Jan 2000 19:49:47 -0500
From: Andrew Brown <atatat@atatdot.net>
To: tech-net@netbsd.org, tech-userlevel@netbsd.org
Subject: s/key (cont.)
Message-ID: <20000130194947.A22949@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <m12EylK-000g6HC@most.weird.com> <10352.949256944@munnari.OZ.AU> <20000130142347.A20452@noc.untraceable.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20000130142347.A20452@noc.untraceable.net>; from atatat@atatdot.net on Sun, Jan 30, 2000 at 02:23:47PM -0500
Return-Receipt-To: receipts@daemon.org
Lines: 65

On Sun, Jan 30, 2000 at 02:23:47PM -0500, Andrew Brown wrote:
>
>bsdi has added (and uses by default) md5 (so if you're trying to use
>the skey calculator on bsdi, you need to specify -4).  opie, i
>believe, adds md5 and possibly sha1 as algorithmic choices.
>
>i've got backwards compatible patches to libskey that make it able to
>use md5.  sha1 ought not to be that difficult to add.

okay, i dug them up.  now i have several points on which i'd like to
request comments before i send-pr the patches.

most of the changes are to the files that comprise libskey.  login,
su, ftpd, and skeyinfo (and anything else you've written) all just
need to be recompiled, but skeyinit has a small patch as well.

(1) this would require a major bump on libskey, since i need to change
the api for two public function calls in the library: f() and
keycrunch().  any problem there?

(1) bsdi's /etc/skeykeys file looks like this:

   username MD4 0098 ns59306          a86b83d5c04d7d00  Mar 05,1997 12:36:56

and ours looks like

   username 0098 ns59306          a86b83d5c04d7d00  Mar 05,1997 12:36:56

and what i hacked up a few years ago changes ours to

   username 0098/4 ns59306        a86b83d5c04d7d00  Mar 05,1997 12:36:56

by stealing space for the two new characters from the 16 characters
allotted for the seed.  my changes are completely backwards compatible
to existing skeykeys files, by simply defaulting to md4 (and later
writing out a slightly modified record) if the algorithm isn't
specified.

obviously, with slight changes, i could enable bsdi file reading, but
writing out the new record would be difficult, since the new record
would take up four (or five, in the case of sha1) more characters and
overrun the subsequent line.

so, is it better to (a) steal two characters (which is safe) or (b) go
for bsdi file compatibility (with the algorithm token being optional)?

note that anything that writes out longer records than it reads in
(ie, reading an older skeykeys file and writing a new record) will
lose, since the longer record will overrun the next line in the file.
this includes running skeyinit and to generate a new skey, since it
simply overwrites any existing record you already have for yourself.
note: is anything (or anyone) using the whole 16 characters for the
seed already?

(3) if i was to add md2 (anyone interested?) or sha1, where should i
put the sources?  in libc, of course, and the md2 stuff would
obviously go in src/lib/libc/md, but where should the sha1 stuff go?
same place?  it makes more send to me to put it there than anywhere
else, even though it's not an md routine.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."