r1068 - trunk

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Sun Jan 28 21:54:08 PST 2007

Author: tushar
Date: 2007-01-28 22:54:07 -0700 (Sun, 28 Jan 2007)
New Revision: 1068

Updated Hint: blowfish-passwords

Modified: trunk/blowfish-passwords.txt
--- trunk/blowfish-passwords.txt	2007-01-29 05:52:53 UTC (rev 1067)
+++ trunk/blowfish-passwords.txt	2007-01-29 05:54:07 UTC (rev 1068)
@@ -1,6 +1,6 @@
-AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes)
+AUTHOR: Robert Connolly <robert at linuxfromscratch.org> (ashes)
-DATE: 2004-11-13
+DATE: 2006-12-10
 LICENSE: Public Domain
@@ -9,117 +9,60 @@
 How to install a blowfish crypt library and use it.
-PREREQUISITES: Sed v4+ (for the -i option)
-This hint shows how to disable the installation of libcrypt, either in Glibc
-or uClibc, and then install Libxcrypt to replace it. Libxcrypt includes
-Blowfish, SHA, MD5, DES, and UFC-crypt. Symlinks are made so that applications
-can use libxcrypt without needing patches.
-If you try to replace libcrypt with libxcrypt on an existing system, it will
-almost certainly break your existing programs. So I suggest installing this
-during an LFS installation.
-Libxcrypt is maintained by Suse Linux, and is based on the OpenWall patch
-by Solar Designer. You may want to see:
 A paper on the blowfish algorithm is available here:
-The standalone blowfish library is available here:
+	shadow-
+	sysvinit-2.86-owl_blowfish.patch
-	shadow-4.0.13-blowfish-1.patch
-If you have trouble downloading this package, I put a copy here:
-# - Disable the building and installation of libcrypt.
+# With Glibc chapter 6:
-# When installing uClibc, run this:
+patch -Np1 -i ../glibc-2.5-blowfish.patch
-sed -e '/libcrypt shared/d' -i Makefile &&
-sed -e 's/libcrypt //' -i Makefile
+# With Shadow chapter 6:
-# When installing Glibc, run this before changing to the build directory:
+patch -Np1 -i ../shadow- &&
+aclocal &&
+autoconf &&
-sed -e 's/crypt//g' -i Makeconfig
+# This patch for Shadow must be regenerated with autotools so that this
+# patch can be used by many versions of Shadow. As long as the patch applies
+# without error then it should work on whichever version of Shadow you are
+# using.
-# - After GCC pass 2 is installed, build and install Libxcrypt.
+# This patch will instruct blowfish to use /dev/random for entropy. If you
+# want to use /dev/urandom or something else then use the --with-random=
+# configure option.
-# Libxcrypt needs "bits/libc-lock.h", this is a libc internal header and does
-# not get installed by uClibc. Packages, like libxcrypt, should use their own
-# copy of libc-lock.h, but not all do. So, if you are using uClibc you will
-# need to unpack your uClibc (and libxcrypt) source and do:
+# The Sed command for MD5_CRYPT_ENAB, on the Shadow page, won't make any
+# difference. If you get an error from 'make install' because of funny
+# business from Autoconf, then use:
-mkdir libxcrypt-2.3/src/bits/ &&
-cp uClibc-0.9.28/libpthread/linuxthreads/sysdeps/pthread/bits/libc-lock.h \
-	libxcrypt-2.3/src/bits/libc-lock.h
+make MKINSTALLDIRS=$(pwd)/mkinstalldirs install
-# And for uClibc also do this:
+# Shadow will still be able to use MD5 and DES passwords if you add them to
+# /etc/shadow manually, or if you reset "CRYPT_PREFIX" to "$1$" in
+# /etc/login.defs.
-sed -e 's/__stpncpy/stpncpy/g' -i libxcrypt-2.3/src/md5-crypt.c
+# After running 'passwd' you should find your passwords in /etc/shadow
+# begin with "$2a$".
-# Then build Libxcrypt (chapter 5).
+# With Sysvinit chapter 6:
-cd libxcrypt-2.3 &&
-./configure --prefix=/tools &&
-make &&
-make install &&
-ln -sf libxcrypt.so /tools/lib/libcrypt.so &&
-ln -sf libxcrypt.a /tools/lib/libcrypt.a &&
-rm -f /tools/include/crypt.h &&
-ln -sf xcrypt.h /tools/include/crypt.h
+patch -Np1 -i ../sysvinit-2.86-owl_blowfish.patch
-# In Chapter 6 of the LFS/HLFS book, repeat the above commands for uClibc, or
-# Glibc, to disable the installation of libcrypt. Then after re-adjusting the
-# toolchain, install Libxcrypt (HLFS users add --disable-static):
-# uClibc users, redo the copying of libc-lock.h and the sed command for
-# stpncpy().
-cd libxcrypt-2.3 &&
-./configure --prefix=/usr --libdir=/lib &&
-make &&
-make install &&
-ln -sf libxcrypt.so /lib/libcrypt.so &&
-ln -sf ../../lib/libcrypt.so /usr/lib/libcrypt.so &&
-ln -sf ../../lib/libxcrypt.so /usr/lib/libxcrypt.so &&
-rm -f /usr/include/crypt.h &&
-ln -sf xcrypt.h /usr/include/crypt.h &&
-mv /lib/libxcrypt.*a /usr/lib
-# Move the static library to /usr, and make a symlink for it (not with HLFS):
-ln -sf libxcrypt.a /usr/lib/libcrypt.a
-# Later, build Shadow-utils:
-patch -Np1 -i ../shadow-4.0.13-blowfish-1.patch 
-# I made this patch use /dev/random for entropy, when making new passwords.
-# This means that changing passwords may take a long time if you run out of
-# entropy (/dev/random is a blocking device). If this is a problem for you
-# then run:
-# sed -e 's@/dev/random@/dev/urandom at g' -i libmisc/salt.c
-# Also see the entropy.txt hint, to find out how to increase your entropy.
-# When installing Shadow-utils, run this command instead of the one in the
-# LFS/HLFS book (so we don't configure for MD5):
-sed -e 's@/var/spool/mail@/var/mail@' \
-    etc/login.defs > etc/login.defs.new &&
-install -m644 etc/login.defs.new /etc/login.defs
 # OpenSSH can be installed normally, and using "--with-md5-passwords" is
 # optional (it will still be able to use blowfish passwords too).
@@ -142,3 +85,6 @@
   * Bump to libxcrypt-2.3.
   * Don't install libcrypt from libc, and install libxcrypt instead.
+  * Use Owl Blowfish for Glibc because libxcrypt conflicts with OpenSSH.
+  * Added new Shadow and Sysvinit patches.

More information about the hints mailing list