r1004 - trunk

archaic at linuxfromscratch.org archaic at linuxfromscratch.org
Mon Nov 14 19:35:30 PST 2005


Author: archaic
Date: 2005-11-14 20:35:13 -0700 (Mon, 14 Nov 2005)
New Revision: 1004

Modified:
   trunk/blowfish-passwords.txt
Log:
Updated: blowfish-passwords.txt

Modified: trunk/blowfish-passwords.txt
===================================================================
--- trunk/blowfish-passwords.txt	2005-11-13 18:23:37 UTC (rev 1003)
+++ trunk/blowfish-passwords.txt	2005-11-15 03:35:13 UTC (rev 1004)
@@ -1,116 +1,132 @@
 AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes)
 
-DATE: 2004-02-24
+DATE: 2004-11-13
 
 LICENSE: Public Domain
 
 SYNOPSIS: Blowfish passwords.
 
 DESCRIPTION:
-How to install a blowfish crypt library and patch Shadow-utils to use it.
+How to install a blowfish crypt library and use it.
 
-PREREQUISITES: None
+PREREQUISITES: Sed v4+ (for the -i option)
 
 HINT:
-There's two ways to install a blowfish library, either add it to libc or
-standalone. For now this hint will describe the standalone library because
-its the most portable, and easiest, method. Both of the libraries in this
-hint are compatible with Bcrypt/OpenBSD passwords. A paper on the blowfish
-algorithm is available here:
+This hint shows how to disable the installation of libcrypt, either in Glibc
+or uClibc, and then install Libxcrypt to replace it. Libxcrypt includes
+Blowfish, SHA, MD5, DES, and UFC-crypt. Symlinks are made so that applications
+can use libxcrypt without needing patches.
+
+If you try to replace libcrypt with libxcrypt on an existing system, it will
+almost certainly break your existing programs. So I suggest installing this
+during an LFS installation.
+
+Libxcrypt is maintained by Suse Linux, and is based on the OpenWall patch
+by Solar Designer. You may want to see:
+http://www.openwall.com/crypt/
+
+A paper on the blowfish algorithm is available here:
 http://www.usenix.org/events/usenix99/provos.html
 
-If you want to patch Glibc then use this package and follow the directions.
-The shadow patch in this hint will work with it.
-http://www.openwall.com/crypt/crypt_blowfish-0.4.6.tar.gz
+DOWNLOAD:
 
 The standalone blowfish library is available here:
-http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/libxcrypt-2.2.tar.bz2
 
-The 2.2 version is messed up, it doesn't add ".so" to the library names.
-Debian has fixed this in their patch:
-http://ftp.debian.org/debian/pool/main/libx/libxcrypt/libxcrypt_2.2-1.diff.gz
+http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/libxcrypt-2.3.tar.bz2
 
-You will also need the patch for Shadow. This is based on the patch for
-version 4.0.3 from the Openwall site.
 http://www.linuxfromscratch.org/patches/downloads/shadow/\
-	shadow-4.0.7-crypt_blowfish-1.patch
+	shadow-4.0.13-blowfish-1.patch
 
-If you have trouble finding these packages, or you want sha1sums for them,
-I put local copies here:
+If you have trouble downloading this package, I put a copy here:
 http://www.linuxfromscratch.org/~robert/blowfish/
 
-Ok. First libxcrypt:
+INSTALLATION:
 
-Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
-not get installed by uClibc. Packages, like libxcrypt, should use their own
-copy of libc-lock.h, but not all do. So, if you are using uClibc you will need
-to unpack your uClibc (and libxcrypt) source and do:
+# - Disable the building and installation of libcrypt.
 
-mkdir libxcrypt-2.2/src/bits/ &&
-cp uClibc-0.9.27/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
-libxcrypt-2.2/src/bits/libc-lock.h
+# When installing uClibc, run this:
 
-And for uClibc also do this:
-sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.2/src/md5-crypt.c
+sed -e '/libcrypt shared/d' -i Makefile &&
+sed -e 's/libcrypt //' -i Makefile
 
-Then build libxcrypt.
+# When installing Glibc, run this before changing to the build directory:
 
-cd libxcrypt-2.2 &&
-patch -Np1 -i ../libxcrypt_2.2-1.diff &&
-./configure --libdir=/lib &&
+sed -e 's/crypt//g' -i Makeconfig
+
+# - After GCC pass 2 is installed, build and install Libxcrypt.
+
+# Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
+# not get installed by uClibc. Packages, like libxcrypt, should use their own
+# copy of libc-lock.h, but not all do. So, if you are using uClibc you will
+# need to unpack your uClibc (and libxcrypt) source and do:
+
+mkdir libxcrypt-2.3/src/bits/ &&
+cp uClibc-0.9.28/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
+	libxcrypt-2.3/src/bits/libc-lock.h
+
+# And for uClibc also do this:
+
+sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.3/src/md5-crypt.c
+
+# Then build Libxcrypt (chapter 5).
+
+cd libxcrypt-2.3 &&
+./configure --prefix=/tools &&
 make &&
-make check
+make install &&
+ln -sf libxcrypt.so /tools/lib/libcrypt.so &&
+ln -sf libxcrypt.a /tools/lib/libcrypt.a &&
+rm -f /tools/include/crypt.h &&
+ln -sf xcrypt.h /tools/include/crypt.h
 
+# In Chapter 6 of the LFS/HLFS book, repeat the above commands for uClibc, or
+# Glibc, to disable the installation of libcrypt. Then after re-adjusting the
+# toolchain, install Libxcrypt (HLFS users add --disable-static):
+
+# uClibc users, redo the copying of libc-lock.h and the sed command for
+# stpncpy().
+
+cd libxcrypt-2.3 &&
+./configure --prefix=/usr --libdir=/lib &&
+make &&
 make install &&
-mv -f /lib/libxcrypt.*a /usr/lib &&
-rm -f /lib/libxcrypt.so &&
-ln -sf ../../lib/libxcrypt.so.1 /usr/lib/libxcrypt.so
+ln -sf libxcrypt.so /lib/libcrypt.so &&
+ln -sf ../../lib/libcrypt.so /usr/lib/libcrypt.so &&
+ln -sf ../../lib/libxcrypt.so /usr/lib/libxcrypt.so &&
+rm -f /usr/include/crypt.h &&
+ln -sf xcrypt.h /usr/include/crypt.h &&
+mv /lib/libxcrypt.*a /usr/lib
 
-Next build Shadow-utils.
+# Move the static library to /usr, and make a symlink for it (not with HLFS):
 
-cd shadow-4.0.7 &&
-patch -Np1 -i ../shadow-4.0.7-crypt_blowfish-1.patch &&
-sed -e 's/lcrypt/lxcrypt/g' -i configure
+ln -sf libxcrypt.a /usr/lib/libcrypt.a
 
-Now configure and install Shadow-utils like your normally would. If you are
-very paraniod you can add "--with-random=/dev/random" to configure; urandom
-is the default. Remember that if /dev/random is empty then mkpasswd(1) will
-hang until it gets more entropy (see the entropy.txt hint). Most
-administrators will be content using urandom. "MD5_CRYPT_ENAB" does not exist
-in this patched version of "etc/login.defs.linux", so you can run the sed(1)
-command from the book and it will have no affect (run the sed for '/var/mail'
-though).
+# Later, build Shadow-utils:
 
-If you run the OpenSSH daemon then it needs to link to libxcrypt, much the
-same way Shadow-utils does. This command will make sshd link to libxcrypt, but
-without disturbing the sections for "-lcrypt_i" or "-lcrypto" in the configure
-script:
+patch -Np1 -i ../shadow-4.0.13-blowfish-1.patch 
 
-sed -e 's/in -lcrypt/in -lxcrypt/g' \
-	-e 's/\(LIBS=\".*\)-lcrypt /\1-lxcrypt /g' \
-	-e 's/LIBS=\"\$LIBS -lcrypt\"/LIBS=\"\$LIBS -lxcrypt\"/g' \
-	-i configure
+# I made this patch use /dev/random for entropy, when making new passwords.
+# This means that changing passwords may take a long time if you run out of
+# entropy (/dev/random is a blocking device). If this is a problem for you
+# then run:
+# sed -e 's@/dev/random@/dev/urandom at g' -i libmisc/salt.c
 
-The "--with-md5-passwords" switch is optional. If your users supply you with
-their own md5 passwords, or if they have existing md5 passwords, then use
-this switch to keep comptability. If you only want to use blowfish then leave
-it out. I'm pretty sure the only thing this switch does is enable extra long
-passwords (blowfish limit is 72 characters, md5 is unlimited).
+# Also see the entropy.txt hint, to find out how to increase your entropy.
 
-The libxcrypt library can handle des, bigcrypt, md5, as well as blowfish.
+# When installing Shadow-utils, run this command instead of the one in the
+# LFS/HLFS book (so we don't configure for MD5):
 
-Then run passwd(1). You can grep (or cat) /etc/shadow to verify the new
-password is in blowfish crypt. Though it's not required, blowfish typically
-begins with "$2a$", while md5 passwords begin with "$1$". Blowfish hashes
-are a bit longer than md5's too.
+sed -e 's@/var/spool/mail@/var/mail@' \
+    etc/login.defs > etc/login.defs.new &&
+install -m644 etc/login.defs.new /etc/login.defs
 
-Done.
+# OpenSSH can be installed normally, and using "--with-md5-passwords" is
+# optional (it will still be able to use blowfish passwords too).
 
 ACKNOWLEDGMENTS:
   * The Openwall project. http://www.openwall.com/crypt/
   * Solar Designer. <solar at openwall>
   * Thorsten Kukuk. http://ftp.suse.com/pub/people/kukuk/
-  * Debian GNU/Linux. http://packages.debian.org/testing/source/libxcrypt
 
 CHANGELOG:
 [2005-02-04]
@@ -123,3 +139,6 @@
   * Added sed for xcrypt in OpenSSH.
 [2005-02-24]
   * Fix where the libxcrypt libs are installed.
+[2005-11-13]
+  * Bump to libxcrypt-2.3.
+  * Don't install libcrypt from libc, and install libxcrypt instead.




More information about the hints mailing list