r1004 - trunk
archaic at linuxfromscratch.org
archaic at linuxfromscratch.org
Mon Nov 14 19:35:30 PST 2005
Date: 2005-11-14 20:35:13 -0700 (Mon, 14 Nov 2005)
New Revision: 1004
--- trunk/blowfish-passwords.txt 2005-11-13 18:23:37 UTC (rev 1003)
+++ trunk/blowfish-passwords.txt 2005-11-15 03:35:13 UTC (rev 1004)
@@ -1,116 +1,132 @@
AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes)
LICENSE: Public Domain
SYNOPSIS: Blowfish passwords.
-How to install a blowfish crypt library and patch Shadow-utils to use it.
+How to install a blowfish crypt library and use it.
+PREREQUISITES: Sed v4+ (for the -i option)
-There's two ways to install a blowfish library, either add it to libc or
-standalone. For now this hint will describe the standalone library because
-its the most portable, and easiest, method. Both of the libraries in this
-hint are compatible with Bcrypt/OpenBSD passwords. A paper on the blowfish
-algorithm is available here:
+This hint shows how to disable the installation of libcrypt, either in Glibc
+or uClibc, and then install Libxcrypt to replace it. Libxcrypt includes
+Blowfish, SHA, MD5, DES, and UFC-crypt. Symlinks are made so that applications
+can use libxcrypt without needing patches.
+If you try to replace libcrypt with libxcrypt on an existing system, it will
+almost certainly break your existing programs. So I suggest installing this
+during an LFS installation.
+Libxcrypt is maintained by Suse Linux, and is based on the OpenWall patch
+by Solar Designer. You may want to see:
+A paper on the blowfish algorithm is available here:
-If you want to patch Glibc then use this package and follow the directions.
-The shadow patch in this hint will work with it.
The standalone blowfish library is available here:
-The 2.2 version is messed up, it doesn't add ".so" to the library names.
-Debian has fixed this in their patch:
-You will also need the patch for Shadow. This is based on the patch for
-version 4.0.3 from the Openwall site.
-If you have trouble finding these packages, or you want sha1sums for them,
-I put local copies here:
+If you have trouble downloading this package, I put a copy here:
-Ok. First libxcrypt:
-Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
-not get installed by uClibc. Packages, like libxcrypt, should use their own
-copy of libc-lock.h, but not all do. So, if you are using uClibc you will need
-to unpack your uClibc (and libxcrypt) source and do:
+# - Disable the building and installation of libcrypt.
-mkdir libxcrypt-2.2/src/bits/ &&
-cp uClibc-0.9.27/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
+# When installing uClibc, run this:
-And for uClibc also do this:
-sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.2/src/md5-crypt.c
+sed -e '/libcrypt shared/d' -i Makefile &&
+sed -e 's/libcrypt //' -i Makefile
-Then build libxcrypt.
+# When installing Glibc, run this before changing to the build directory:
-cd libxcrypt-2.2 &&
-patch -Np1 -i ../libxcrypt_2.2-1.diff &&
-./configure --libdir=/lib &&
+sed -e 's/crypt//g' -i Makeconfig
+# - After GCC pass 2 is installed, build and install Libxcrypt.
+# Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
+# not get installed by uClibc. Packages, like libxcrypt, should use their own
+# copy of libc-lock.h, but not all do. So, if you are using uClibc you will
+# need to unpack your uClibc (and libxcrypt) source and do:
+mkdir libxcrypt-2.3/src/bits/ &&
+cp uClibc-0.9.28/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
+# And for uClibc also do this:
+sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.3/src/md5-crypt.c
+# Then build Libxcrypt (chapter 5).
+cd libxcrypt-2.3 &&
+./configure --prefix=/tools &&
+make install &&
+ln -sf libxcrypt.so /tools/lib/libcrypt.so &&
+ln -sf libxcrypt.a /tools/lib/libcrypt.a &&
+rm -f /tools/include/crypt.h &&
+ln -sf xcrypt.h /tools/include/crypt.h
+# In Chapter 6 of the LFS/HLFS book, repeat the above commands for uClibc, or
+# Glibc, to disable the installation of libcrypt. Then after re-adjusting the
+# toolchain, install Libxcrypt (HLFS users add --disable-static):
+# uClibc users, redo the copying of libc-lock.h and the sed command for
+cd libxcrypt-2.3 &&
+./configure --prefix=/usr --libdir=/lib &&
make install &&
-mv -f /lib/libxcrypt.*a /usr/lib &&
-rm -f /lib/libxcrypt.so &&
-ln -sf ../../lib/libxcrypt.so.1 /usr/lib/libxcrypt.so
+ln -sf libxcrypt.so /lib/libcrypt.so &&
+ln -sf ../../lib/libcrypt.so /usr/lib/libcrypt.so &&
+ln -sf ../../lib/libxcrypt.so /usr/lib/libxcrypt.so &&
+rm -f /usr/include/crypt.h &&
+ln -sf xcrypt.h /usr/include/crypt.h &&
+mv /lib/libxcrypt.*a /usr/lib
-Next build Shadow-utils.
+# Move the static library to /usr, and make a symlink for it (not with HLFS):
-cd shadow-4.0.7 &&
-patch -Np1 -i ../shadow-4.0.7-crypt_blowfish-1.patch &&
-sed -e 's/lcrypt/lxcrypt/g' -i configure
+ln -sf libxcrypt.a /usr/lib/libcrypt.a
-Now configure and install Shadow-utils like your normally would. If you are
-very paraniod you can add "--with-random=/dev/random" to configure; urandom
-is the default. Remember that if /dev/random is empty then mkpasswd(1) will
-hang until it gets more entropy (see the entropy.txt hint). Most
-administrators will be content using urandom. "MD5_CRYPT_ENAB" does not exist
-in this patched version of "etc/login.defs.linux", so you can run the sed(1)
-command from the book and it will have no affect (run the sed for '/var/mail'
+# Later, build Shadow-utils:
-If you run the OpenSSH daemon then it needs to link to libxcrypt, much the
-same way Shadow-utils does. This command will make sshd link to libxcrypt, but
-without disturbing the sections for "-lcrypt_i" or "-lcrypto" in the configure
+patch -Np1 -i ../shadow-4.0.13-blowfish-1.patch
-sed -e 's/in -lcrypt/in -lxcrypt/g' \
- -e 's/\(LIBS=\".*\)-lcrypt /\1-lxcrypt /g' \
- -e 's/LIBS=\"\$LIBS -lcrypt\"/LIBS=\"\$LIBS -lxcrypt\"/g' \
- -i configure
+# I made this patch use /dev/random for entropy, when making new passwords.
+# This means that changing passwords may take a long time if you run out of
+# entropy (/dev/random is a blocking device). If this is a problem for you
+# then run:
+# sed -e 's@/dev/random@/dev/urandom at g' -i libmisc/salt.c
-The "--with-md5-passwords" switch is optional. If your users supply you with
-their own md5 passwords, or if they have existing md5 passwords, then use
-this switch to keep comptability. If you only want to use blowfish then leave
-it out. I'm pretty sure the only thing this switch does is enable extra long
-passwords (blowfish limit is 72 characters, md5 is unlimited).
+# Also see the entropy.txt hint, to find out how to increase your entropy.
-The libxcrypt library can handle des, bigcrypt, md5, as well as blowfish.
+# When installing Shadow-utils, run this command instead of the one in the
+# LFS/HLFS book (so we don't configure for MD5):
-Then run passwd(1). You can grep (or cat) /etc/shadow to verify the new
-password is in blowfish crypt. Though it's not required, blowfish typically
-begins with "$2a$", while md5 passwords begin with "$1$". Blowfish hashes
-are a bit longer than md5's too.
+sed -e 's@/var/spool/mail@/var/mail@' \
+ etc/login.defs > etc/login.defs.new &&
+install -m644 etc/login.defs.new /etc/login.defs
+# OpenSSH can be installed normally, and using "--with-md5-passwords" is
+# optional (it will still be able to use blowfish passwords too).
* The Openwall project. http://www.openwall.com/crypt/
* Solar Designer. <solar at openwall>
* Thorsten Kukuk. http://ftp.suse.com/pub/people/kukuk/
- * Debian GNU/Linux. http://packages.debian.org/testing/source/libxcrypt
@@ -123,3 +139,6 @@
* Added sed for xcrypt in OpenSSH.
* Fix where the libxcrypt libs are installed.
+ * Bump to libxcrypt-2.3.
+ * Don't install libcrypt from libc, and install libxcrypt instead.
More information about the hints