blowfish-passwords hint update

Robert Connolly robert at linuxfromscratch.org
Sun Nov 13 19:10:47 PST 2005


Hi. I forgot to symlink /lib/libcrypt.so to /usr/lib. Please update this 
attachement instead.

robert
-------------- next part --------------
AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes)

DATE: 2004-11-13

LICENSE: Public Domain

SYNOPSIS: Blowfish passwords.

DESCRIPTION:
How to install a blowfish crypt library and use it.

PREREQUISITES: Sed v4+ (for the -i option)

HINT:
This hint shows how to disable the installation of libcrypt, either in Glibc
or uClibc, and then install Libxcrypt to replace it. Libxcrypt includes
Blowfish, SHA, MD5, DES, and UFC-crypt. Symlinks are made so that applications
can use libxcrypt without needing patches.

If you try to replace libcrypt with libxcrypt on an existing system, it will
almost certainly break your existing programs. So I suggest installing this
during an LFS installation.

Libxcrypt is maintained by Suse Linux, and is based on the OpenWall patch
by Solar Designer. You may want to see:
http://www.openwall.com/crypt/

A paper on the blowfish algorithm is available here:
http://www.usenix.org/events/usenix99/provos.html

DOWNLOAD:

The standalone blowfish library is available here:

http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/libxcrypt-2.3.tar.bz2

http://www.linuxfromscratch.org/patches/downloads/shadow/\
	shadow-4.0.13-blowfish-1.patch

If you have trouble downloading this package, I put a copy here:
http://www.linuxfromscratch.org/~robert/blowfish/

INSTALLATION:

# - Disable the building and installation of libcrypt.

# When installing uClibc, run this:

sed -e '/libcrypt shared/d' -i Makefile &&
sed -e 's/libcrypt //' -i Makefile

# When installing Glibc, run this before changing to the build directory:

sed -e 's/crypt//g' -i Makeconfig

# - After GCC pass 2 is installed, build and install Libxcrypt.

# Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
# not get installed by uClibc. Packages, like libxcrypt, should use their own
# copy of libc-lock.h, but not all do. So, if you are using uClibc you will
# need to unpack your uClibc (and libxcrypt) source and do:

mkdir libxcrypt-2.3/src/bits/ &&
cp uClibc-0.9.28/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
	libxcrypt-2.3/src/bits/libc-lock.h

# And for uClibc also do this:

sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.3/src/md5-crypt.c

# Then build Libxcrypt (chapter 5).

cd libxcrypt-2.3 &&
./configure --prefix=/tools &&
make &&
make install &&
ln -sf libxcrypt.so /tools/lib/libcrypt.so &&
ln -sf libxcrypt.a /tools/lib/libcrypt.a &&
rm -f /tools/include/crypt.h &&
ln -sf xcrypt.h /tools/include/crypt.h

# In Chapter 6 of the LFS/HLFS book, repeat the above commands for uClibc, or
# Glibc, to disable the installation of libcrypt. Then after re-adjusting the
# toolchain, install Libxcrypt (HLFS users add --disable-static):

# uClibc users, redo the copying of libc-lock.h and the sed command for
# stpncpy().

cd libxcrypt-2.3 &&
./configure --prefix=/usr --libdir=/lib &&
make &&
make install &&
ln -sf libxcrypt.so /lib/libcrypt.so &&
ln -sf ../../lib/libcrypt.so /usr/lib/libcrypt.so &&
ln -sf ../../lib/libxcrypt.so /usr/lib/libxcrypt.so &&
rm -f /usr/include/crypt.h &&
ln -sf xcrypt.h /usr/include/crypt.h &&
mv /lib/libxcrypt.*a /usr/lib

# Move the static library to /usr, and make a symlink for it (not with HLFS):

ln -sf libxcrypt.a /usr/lib/libcrypt.a

# Later, build Shadow-utils:

patch -Np1 -i ../shadow-4.0.13-blowfish-1.patch 

# I made this patch use /dev/random for entropy, when making new passwords.
# This means that changing passwords may take a long time if you run out of
# entropy (/dev/random is a blocking device). If this is a problem for you
# then run:
# sed -e 's@/dev/random@/dev/urandom at g' -i libmisc/salt.c

# Also see the entropy.txt hint, to find out how to increase your entropy.

# When installing Shadow-utils, run this command instead of the one in the
# LFS/HLFS book (so we don't configure for MD5):

sed -e 's@/var/spool/mail@/var/mail@' \
    etc/login.defs > etc/login.defs.new &&
install -m644 etc/login.defs.new /etc/login.defs

# OpenSSH can be installed normally, and using "--with-md5-passwords" is
# optional (it will still be able to use blowfish passwords too).

ACKNOWLEDGMENTS:
  * The Openwall project. http://www.openwall.com/crypt/
  * Solar Designer. <solar at openwall>
  * Thorsten Kukuk. http://ftp.suse.com/pub/people/kukuk/

CHANGELOG:
[2005-02-04]
  * Initial hint.
[2005-02-05]
  * Added note for --with-random.
  * Added note for SSHD's with-md5-passwords.
  * Move libxcrypt.la file to /usr/lib.
[2005-02-06]
  * Added sed for xcrypt in OpenSSH.
[2005-02-24]
  * Fix where the libxcrypt libs are installed.
[2005-11-13]
  * Bump to libxcrypt-2.3.
  * Don't install libcrypt from libc, and install libxcrypt instead.


More information about the hints mailing list