[Rt-devel] Password storage format in RT3.6

Ruslan Zakirov ruslan.zakirov at gmail.com
Mon Sep 4 16:35:13 EDT 2006


I think we should allow admins(if it possible) to:
* choose between MD5 and MD5 salted
* script that changes stored hashes at once. Is it possible to add
salt to MD5 hash with password string?

It was big surprise to when I saw that we'd switched from md5 in
base64 to md5 in hex. And also it's very hard to auth against RT's DB
when some password hash strings are base64 encoded while other are
hex-encoded.

On 9/4/06, Jesse Vincent <jesse at bestpractical.com> wrote:
>
> On Mon, Sep 04, 2006 at 09:13:03PM +0200, Arne Georg Gleditsh wrote:
> > Jesse Vincent wrote:
> > >Having asked around, I'm told that changing this would break PAM
> > >compatibility, which scares me more than a little.
> >
> > Surprising.  Normal "md5-crypt" on every Unix I'm aware of is salted
> > md5, and this is handled by pam out of the box.  Not knowing the details
> > of RT's "PAM compatibility" it's hard to comment either way, though.
> >
> > Could we get some more details on this perceived breakage?
>
> I'll poke harder at my informant and see if I can shake loose any sane
> justification.
>
> Thanks!
>
> Jesse
>
>
>
> > --
> >                                                       Arne.
> >


-- 
Best regards, Ruslan.


More information about the Rt-devel mailing list