From vincent@Kain.sumuk.de  Sat Nov 10 06:19:52 2001
Return-Path: <vincent@Kain.sumuk.de>
Received: from Kain.sumuk.de (Kain.sumuk.de [213.221.86.114])
	by hub.freebsd.org (Postfix) with ESMTP id EE45A37B41D
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Nov 2001 06:19:50 -0800 (PST)
Received: (from vincent@localhost)
	by Kain.sumuk.de (8.11.5/8.11.5) id fAAEJh187501;
	Sat, 10 Nov 2001 15:19:43 +0100 (CET)
	(envelope-from vincent)
Message-Id: <200111101419.fAAEJh187501@Kain.sumuk.de>
Date: Sat, 10 Nov 2001 15:19:43 +0100 (CET)
From: Martin Heinen <martin@sumuk.de>
Reply-To: Martin Heinen <martin@sumuk.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Markup changes for chapter Security
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         31899
>Category:       docs
>Synopsis:       Markup changes for chapter Security
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 10 06:20:01 PST 2001
>Closed-Date:    Fri Nov 16 04:07:33 PST 2001
>Last-Modified:  Fri Nov 16 04:08:29 PST 2001
>Originator:     Martin Heinen
>Release:        FreeBSD 4.4-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD Kain.sumuk.de 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #11: Thu Sep 27 18:54:33 CEST 2001 toor@Kain.earth.sol:/usr/obj/usr/src/sys/KAIN i386

>Description:
	changed literal " to <quote>, indented a paragraph,
	<Para> -> <para>,
	info -> information,
	<filename>grunt -> <hostid>grunt,
	added missing markup,
	localhost -> <hostid>localhost
>How-To-Repeat:
	read the Security chapter
>Fix:
Index: chapter.sgml
===================================================================
RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.96
diff -u -r1.96 chapter.sgml
--- chapter.sgml	2001/10/29 11:02:50	1.96
+++ chapter.sgml	2001/11/10 13:59:24
@@ -1014,14 +1014,14 @@
 	rather than <filename>libdescrypt</filename>.</para>
 
       <para>If you have installed the DES-capable crypt library
-      <filename>libdescrypt</filename> (e.g. by installing the
-      "crypto" distribution), then which password format will be used
-      for new passwords is controlled by the
-      <quote>passwd_format</quote> login capability in
-      <filename>/etc/login.conf</filename>, which takes values of
-      either <quote>des</quote> or <quote>md5</quote>.  See the
-      &man.login.conf.5; manual page for more information about login
-      capabilities.</para>
+        <filename>libdescrypt</filename> (e.g. by installing the
+        <quote>crypto</quote> distribution), then which password format
+        will be used for new passwords is controlled by the
+        <quote>passwd_format</quote> login capability in
+        <filename>/etc/login.conf</filename>, which takes values of
+        either <quote>des</quote> or <quote>md5</quote>.  See the
+        &man.login.conf.5; manual page for more information about login
+        capabilities.</para>
     </sect2>
   </sect1>
 
@@ -1249,7 +1249,7 @@
 s/key 97 fw13894
 Password: </screen>
 
-      <Para>Or for OPIE:</para>
+      <para>Or for OPIE:</para>
 
 <screen>&prompt.user; <userinput>telnet example.com</userinput>
 Trying 10.0.0.1...
@@ -1345,7 +1345,7 @@
 	on the host name, user name, terminal port, or IP address of a
 	login session.  These restrictions can be found in the
 	configuration file <filename>/etc/skey.access</filename>.  The
-	&man.skey.access.5; manual page has more info on the complete
+	&man.skey.access.5; manual page has more information on the complete
 	format of the file and also details some security cautions to be
 	aware of before depending on this file for security.</para>
 
@@ -1460,8 +1460,8 @@
       <para>You should now edit the <filename>krb.conf</filename> and
 	<filename>krb.realms</filename> files to define your Kerberos realm.
 	In this case the realm will be <filename>EXAMPLE.COM</filename> and the
-	server is <filename>grunt.example.com</filename>.  We edit or create
-	the <filename>krb.conf</filename> file:</para>
+	server is <hostid role="fqdn">grunt.example.com</hostid>.  We edit
+	or create the <filename>krb.conf</filename> file:</para>
 	  
       <screen>&prompt.root; <userinput>cat krb.conf</userinput>
 EXAMPLE.COM
@@ -2655,8 +2655,9 @@
       elsewhere, and is not available for unrestricted use.
       IDEA is included in the OpenSSL sources in FreeBSD, but it is not
       built by default.  If you wish to use it, and you comply with the
-      license terms, enable the MAKE_IDEA switch in /etc/make.conf and
-      rebuild your sources using 'make world'.</para>
+      license terms, enable the <literal>MAKE_IDEA</literal> switch in
+      <filename>/etc/make.conf</filename> and
+      rebuild your sources using <command>make world</command>.</para>
 
     <para>Today, the RSA algorithm is free for use in USA and other
       countries.  In the past it was protected by a patent.</para>
@@ -2741,14 +2742,18 @@
         From HOST B to HOST A, new AH and new ESP are combined.</para>
 
       <para>Now we should choose an algorithm to be used corresponding to
-        "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
+        <quote>AH</quote>/<quote>new AH</quote>/<quote>ESP</quote>/
+	<quote>new ESP</quote>.
+	Please refer to the &man.setkey.8; man
         page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
         for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
 
       <para>Key length highly depends on each algorithm.  For example, key
         length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
-        and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
-        "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
+        and 8 for new-DES-expIV.  Now we choose
+	<quote>MYSECRETMYSECRET</quote>,
+        <quote>KAMEKAMEKAMEKAMEKAME</quote>, <quote>PASSWORD</quote>,
+	respectively.</para>
 
       <para>OK, let us assign SPI (Security Parameter Index) for each protocol.
         Please note that we need 3 SPIs for this secure channel since three
@@ -2842,9 +2847,10 @@
           fec0::10 -------------------- fec0::11
 </screen>
 
-      <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
-        authentication algorithm is hmac-sha1 whose key is "this is the test
-        key".  Configuration at Host-A:</para>
+      <para>Encryption algorithm is blowfish-cbc whose key is
+	<quote>kamekame</quote>, and authentication algorithm is hmac-sha1
+	whose key is <quote>this is the test key</quote>.
+	Configuration at Host-A:</para>
 
       <screen>
         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
@@ -2888,8 +2894,8 @@
       <para>Tunnel mode between two security gateways</para>
 
       <para>Security protocol is old AH tunnel mode, i.e. specified by
-        RFC1826, with keyed-md5 whose key is "this is the test" as
-        authentication algorithm.</para>
+        RFC1826, with keyed-md5 whose key is
+	<quote>this is the test</quote> as authentication algorithm.</para>
 
       <screen>
                              ======= AH =======
@@ -2914,8 +2920,10 @@
         EOF
 </screen>
 
-      <para>If the port number field is omitted such as above then "[any]" is
-        employed. `-m' specifies the mode of SA to be used. "-m any" means
+      <para>If the port number field is omitted such as above then
+	<literal>[any]</literal> is
+        employed. <literal>-m</literal> specifies the mode of SA to be used.
+	<literal>-m any</literal> means
         wild-card of mode of security protocol. You can use this SA for both
         tunnel and transport mode.</para>
 
@@ -3102,10 +3110,10 @@
 user@example.com's password: <userinput>*******</userinput></screen>
 
       <para>The login will continue just as it would have if a session was
-        created using <command>rlogin</command> or telnet.  SSH utilizes a 
-	key fingerprint
-        system for verifying the authenticity of the server when the 
-        client connects.  The user is prompted to enter 'yes' only when
+        created using <command>rlogin</command> or <command>telnet</command>.
+	SSH utilizes a key fingerprint system for verifying the authenticity
+	of the server when the client connects.  The user is prompted
+	to enter <literal>yes</literal> only when
         connecting for the first time.  Future attempts to login are all
         verified against the saved fingerprint key.  The SSH client
         will alert you if the saved fingerprint differs from the
@@ -3132,9 +3140,9 @@
       </indexterm>
       <indexterm><primary><command>scp</command></primary></indexterm>
 
-      <para>The <command>scp</command> command works similarly to rcp;
-        it copies a file to or from a remote machine, except in a
-        secure fashion.</para>
+      <para>The <command>scp</command> command works similarly to
+	<command>rcp</command>; it copies a file to or from a
+	remote machine, except in a secure fashion.</para>
 
       <screen>&prompt.root <userinput> scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
 user@example.com's password: 
@@ -3293,15 +3301,16 @@
       </variablelist>
 
 
-      <para>An SSH tunnel works by creating a listen socket on localhost
+      <para>An SSH tunnel works by creating a listen socket on
+	<hostid>localhost</hostid>
 	on the specified port.  It then forwards any connection received
 	on the local host/port via the SSH connection to the specified
 	remote host and port.</para>
 
       <para>In the example, port <replaceable>5023</replaceable> on
-	localhost is being forwarded to port
-	<replaceable>23</replaceable> on localhost of the remote
-	machine.  Since <replaceable>23</replaceable> is telnet, this
+	<hostid>localhost</hostid> is being forwarded to port
+	<replaceable>23</replaceable> on <hostid>localhost</hostid> of the
+	remote machine.  Since <replaceable>23</replaceable> is telnet, this
 	would create a secure telnet session through an SSH tunnel.</para>
 
        <para>This can be used to wrap any number of insecure TCP protocols 
>Release-Note:
>Audit-Trail:

From: Tom Hukins <tom@FreeBSD.org>
To: Martin Heinen <martin@sumuk.de>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/31899: Markup changes for chapter Security
Date: Sat, 10 Nov 2001 17:27:14 +0000

 On Sat, Nov 10, 2001 at 03:19:43PM +0100, Martin Heinen wrote:
 >        <para>If you have installed the DES-capable crypt library
 > -      <filename>libdescrypt</filename> (e.g. by installing the
 > -      "crypto" distribution), then which password format will be used
 > -      for new passwords is controlled by the
 > -      <quote>passwd_format</quote> login capability in
 > -      <filename>/etc/login.conf</filename>, which takes values of
 > -      either <quote>des</quote> or <quote>md5</quote>.  See the
 > -      &man.login.conf.5; manual page for more information about login
 > -      capabilities.</para>
 
 Rather than fixing this by modifying the quotes, shouldn't this be
 totally updated?  We don't have a "crypto" distribution any more, so we
 should specify what happens by default and explain how to change it.
 
 Tom

From: Giorgos Keramidas <charon@labs.gr>
To: Martin Heinen <martin@sumuk.de>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: docs/31899: Markup changes for chapter Security
Date: Sat, 10 Nov 2001 17:48:40 +0200

 Martin Heinen <martin@sumuk.de> wrote:
 >
 > >Description:
 > 	changed literal " to <quote>, indented a paragraph,
 > 	<Para> -> <para>,
 > 	info -> information,
 > 	<filename>grunt -> <hostid>grunt,
 > 	added missing markup,
 > 	localhost -> <hostid>localhost
 
 Please do not mix whitespace and content changes :(
 It is difficult to see the content changes when they are made at the
 same time with indentation or other whitespace fixes.
 

From: Martin Heinen <martin@sumuk.de>
To: Giorgos Keramidas <charon@labs.gr>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: docs/31899: Markup changes for chapter Security
Date: Sun, 11 Nov 2001 15:06:26 +0100

 --Bn2rw/3z4jIqBvZU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Giorgos Keramidas wrote:
 > Martin Heinen <martin@sumuk.de> wrote:
 > >
 > > >Description:
 > > 	changed literal " to <quote>, indented a paragraph,
 > > 	<Para> -> <para>,
 > > 	info -> information,
 > > 	<filename>grunt -> <hostid>grunt,
 > > 	added missing markup,
 > > 	localhost -> <hostid>localhost
 > 
 > Please do not mix whitespace and content changes :(
 > It is difficult to see the content changes when they are made at the
 > same time with indentation or other whitespace fixes.
 
 uups, thanks for reminding me to read the FDP-Primer regularly.  Attached
 is a diff without whitespace changes.  I will send a new PR to fix
 line breaks and identation.
 
 As Tom noted, the section about recognizing the crypt mechanism
 needs to be rewritten, so I dropped the corrections to this section.
 
 Martin
 -- 
 Marxpitn
 
 --Bn2rw/3z4jIqBvZU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="sec.diff"
 
 Index: chapter.sgml
 ===================================================================
 RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
 retrieving revision 1.96
 diff -u -r1.96 chapter.sgml
 --- chapter.sgml	2001/10/29 11:02:50	1.96
 +++ chapter.sgml	2001/11/11 11:17:28
 @@ -1249,7 +1249,7 @@
  s/key 97 fw13894
  Password: </screen>
  
 -      <Para>Or for OPIE:</para>
 +      <para>Or for OPIE:</para>
  
  <screen>&prompt.user; <userinput>telnet example.com</userinput>
  Trying 10.0.0.1...
 @@ -1345,7 +1345,7 @@
  	on the host name, user name, terminal port, or IP address of a
  	login session.  These restrictions can be found in the
  	configuration file <filename>/etc/skey.access</filename>.  The
 -	&man.skey.access.5; manual page has more info on the complete
 +	&man.skey.access.5; manual page has more information on the complete
  	format of the file and also details some security cautions to be
  	aware of before depending on this file for security.</para>
  
 @@ -1460,7 +1460,7 @@
        <para>You should now edit the <filename>krb.conf</filename> and
  	<filename>krb.realms</filename> files to define your Kerberos realm.
  	In this case the realm will be <filename>EXAMPLE.COM</filename> and the
 -	server is <filename>grunt.example.com</filename>.  We edit or create
 +	server is <hostid role="fqdn">grunt.example.com</hostid>.  We edit or create
  	the <filename>krb.conf</filename> file:</para>
  	  
        <screen>&prompt.root; <userinput>cat krb.conf</userinput>
 @@ -2655,8 +2655,8 @@
        elsewhere, and is not available for unrestricted use.
        IDEA is included in the OpenSSL sources in FreeBSD, but it is not
        built by default.  If you wish to use it, and you comply with the
 -      license terms, enable the MAKE_IDEA switch in /etc/make.conf and
 -      rebuild your sources using 'make world'.</para>
 +      license terms, enable the <literal>MAKE_IDEA</literal> switch in <filename>/etc/make.conf</filename> and
 +      rebuild your sources using <command>make world</command>.</para>
  
      <para>Today, the RSA algorithm is free for use in USA and other
        countries.  In the past it was protected by a patent.</para>
 @@ -2741,14 +2741,14 @@
          From HOST B to HOST A, new AH and new ESP are combined.</para>
  
        <para>Now we should choose an algorithm to be used corresponding to
 -        "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
 +        <quote>AH</quote>/<quote>new AH</quote>/<quote>ESP</quote>/<quote>new ESP</quote>.  Please refer to the &man.setkey.8; man
          page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
          for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
  
        <para>Key length highly depends on each algorithm.  For example, key
          length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
 -        and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
 -        "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
 +        and 8 for new-DES-expIV.  Now we choose <quote>MYSECRETMYSECRET</quote>,
 +        <quote>KAMEKAMEKAMEKAMEKAME</quote>, <quote>PASSWORD</quote>, respectively.</para>
  
        <para>OK, let us assign SPI (Security Parameter Index) for each protocol.
          Please note that we need 3 SPIs for this secure channel since three
 @@ -2842,9 +2842,9 @@
            fec0::10 -------------------- fec0::11
  </screen>
  
 -      <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
 -        authentication algorithm is hmac-sha1 whose key is "this is the test
 -        key".  Configuration at Host-A:</para>
 +      <para>Encryption algorithm is blowfish-cbc whose key is <quote>kamekame</quote>, and
 +        authentication algorithm is hmac-sha1 whose key is <quote>this is the test
 +        key</quote>.  Configuration at Host-A:</para>
  
        <screen>
          &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
 @@ -2888,7 +2888,7 @@
        <para>Tunnel mode between two security gateways</para>
  
        <para>Security protocol is old AH tunnel mode, i.e. specified by
 -        RFC1826, with keyed-md5 whose key is "this is the test" as
 +        RFC1826, with keyed-md5 whose key is <quote>this is the test</quote> as
          authentication algorithm.</para>
  
        <screen>
 @@ -2914,8 +2914,8 @@
          EOF
  </screen>
  
 -      <para>If the port number field is omitted such as above then "[any]" is
 -        employed. `-m' specifies the mode of SA to be used. "-m any" means
 +      <para>If the port number field is omitted such as above then <literal>[any]</literal> is
 +        employed. <literal>-m</literal> specifies the mode of SA to be used. <literal>-m any</literal> means
          wild-card of mode of security protocol. You can use this SA for both
          tunnel and transport mode.</para>
  
 @@ -3105,7 +3105,7 @@
          created using <command>rlogin</command> or telnet.  SSH utilizes a 
  	key fingerprint
          system for verifying the authenticity of the server when the 
 -        client connects.  The user is prompted to enter 'yes' only when
 +        client connects.  The user is prompted to enter <literal>yes</literal> only when
          connecting for the first time.  Future attempts to login are all
          verified against the saved fingerprint key.  The SSH client
          will alert you if the saved fingerprint differs from the
 @@ -3132,7 +3132,7 @@
        </indexterm>
        <indexterm><primary><command>scp</command></primary></indexterm>
  
 -      <para>The <command>scp</command> command works similarly to rcp;
 +      <para>The <command>scp</command> command works similarly to <command>rcp</command>;
          it copies a file to or from a remote machine, except in a
          secure fashion.</para>
  
 @@ -3293,14 +3293,14 @@
        </variablelist>
  
  
 -      <para>An SSH tunnel works by creating a listen socket on localhost
 +      <para>An SSH tunnel works by creating a listen socket on <hostid>localhost</hostid>
  	on the specified port.  It then forwards any connection received
  	on the local host/port via the SSH connection to the specified
  	remote host and port.</para>
  
        <para>In the example, port <replaceable>5023</replaceable> on
 -	localhost is being forwarded to port
 -	<replaceable>23</replaceable> on localhost of the remote
 +	<hostid>localhost</hostid> is being forwarded to port
 +	<replaceable>23</replaceable> on <hostid>localhost</hostid> of the remote
  	machine.  Since <replaceable>23</replaceable> is telnet, this
  	would create a secure telnet session through an SSH tunnel.</para>
  
 
 --Bn2rw/3z4jIqBvZU--

From: Martin Heinen <martin@sumuk.de>
To: Tom Hukins <tom@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: docs/31899: Markup changes for chapter Security
Date: Sun, 11 Nov 2001 15:06:54 +0100

 --5G06lTa6Jq83wMTw
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Sat, Nov 10, 2001 at 05:27:14PM +0000, Tom Hukins wrote:
 > On Sat, Nov 10, 2001 at 03:19:43PM +0100, Martin Heinen wrote:
 > >        <para>If you have installed the DES-capable crypt library
 > > -      <filename>libdescrypt</filename> (e.g. by installing the
 > > -      "crypto" distribution), then which password format will be used
 > > -      for new passwords is controlled by the
 > > -      <quote>passwd_format</quote> login capability in
 > > -      <filename>/etc/login.conf</filename>, which takes values of
 > > -      either <quote>des</quote> or <quote>md5</quote>.  See the
 > > -      &man.login.conf.5; manual page for more information about login
 > > -      capabilities.</para>
 > 
 > Rather than fixing this by modifying the quotes, shouldn't this be
 > totally updated?  We don't have a "crypto" distribution any more, so we
 > should specify what happens by default and explain how to change it.
 
 second uups, in the future I will read the relase notes more
 thoroughly.  The attached diff reformulates the section, but I'm
 not sure if I got this right, especially I don't know when /etc/auth.conf
 is used.  Maybe someone else can shed more light on this.
 
 Should I open a new PR for this issue?
 
 Martin
 -- 
 Marxpitn
 
 --5G06lTa6Jq83wMTw
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="sec.auth.diff"
 
 Index: chapter.sgml
 ===================================================================
 RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
 retrieving revision 1.96
 diff -u -r1.96 chapter.sgml
 --- chapter.sgml	2001/10/29 11:02:50	1.96
 +++ chapter.sgml	2001/11/11 13:33:53
 @@ -978,50 +978,35 @@
      <sect2>
        <title>Recognizing Your Crypt Mechanism</title>
  
 +      <para>Before FreeBSD 4.4 <filename>libcrypt.a</filename> was a
 +        symbolic link pointing to the library which was used for
 +	encryption.  FreeBSD 4.4 changed <filename>libcrypt.a</filename> to
 +	provide a configurable password authentication hash library.
 +	Currently the library supports DES, MD5 and Blowfish hash
 +	functions.  By default FreeBSD uses MD5 to encrypt
 +	passwords.</para>
 +
        <para>It is pretty easy to identify which encryption method 
  	FreeBSD is set up to use.  Examining the encrypted passwords in
  	the <filename>/etc/master.passwd</filename> file is one way.
  	Passwords encrypted with the MD5 hash are longer than those
  	encrypted with the DES hash and also begin with the characters
 -	<literal>&dollar;1&dollar;</literal>.  DES password strings do not
 +	<literal>&dollar;1&dollar;</literal>.  Passwords starting with
 +	<literal>&dollar;2&dollar;</literal> are encrypted with the
 +	Blowfish hash function. DES password strings do not
  	have any particular identifying characteristics, but they are
  	shorter than MD5 passwords, and are coded in a 64-character
  	alphabet which does not include the <literal>&dollar;</literal>
  	character, so a relatively short string which does not begin with
  	a dollar sign is very likely a DES password.</para>
 -
 -      <para>The libraries can identify the passwords this way as well.
 -	As a result, the DES libraries are able to identify MD5
 -	passwords, and use MD5 to check passwords that were encrypted
 -	that way, and DES for the rest.  They are able to do this
 -	because the DES libraries also contain MD5.  Unfortunately, the
 -	reverse is not true, so the MD5 libraries cannot authenticate
 -	passwords that were encrypted with DES.</para>
 -  
 -      <para>Identifying which library is being used by the programs on
 -	your system is easy as well. Any program that uses crypt is linked
 -	against libcrypt, which for each type of library is a symbolic link
 -	to the appropriate implementation. For example, on a system using
 -	the DES versions:</para>
 -
 -      <screen>&prompt.user; <userinput>ls -l /usr/lib/libcrypt*</userinput>
 -lrwxr-xr-x  1 root  wheel  13 Mar 19 06:56 libcrypt.a -&gt; libdescrypt.a
 -lrwxr-xr-x  1 root  wheel  18 Mar 19 06:56 libcrypt.so.2.0 -&gt; libdescrypt.so.2.0
 -lrwxr-xr-x  1 root  wheel  15 Mar 19 06:56 libcrypt_p.a -&gt; libdescrypt_p.a</screen>
  
 -      <para>On a system using the MD5-based libraries, the same links will
 -	be present, but the target will be <filename>libscrypt</filename>
 -	rather than <filename>libdescrypt</filename>.</para>
 +      <para>Which password format will be used for new passwords is
 +	controlled by the <quote>passwd_format</quote> login capability in
 +        <filename>/etc/login.conf</filename>, which takes values of
 +        <quote>des</quote> or <quote>md5</quote> or <quote>blf</quote>.
 +	See the &man.login.conf.5; manual page for more information about
 +	login capabilities.</para>
  
 -      <para>If you have installed the DES-capable crypt library
 -      <filename>libdescrypt</filename> (e.g. by installing the
 -      "crypto" distribution), then which password format will be used
 -      for new passwords is controlled by the
 -      <quote>passwd_format</quote> login capability in
 -      <filename>/etc/login.conf</filename>, which takes values of
 -      either <quote>des</quote> or <quote>md5</quote>.  See the
 -      &man.login.conf.5; manual page for more information about login
 -      capabilities.</para>
      </sect2>
    </sect1>
  
 
 --5G06lTa6Jq83wMTw--
State-Changed-From-To: open->analyzed 
State-Changed-By: murray 
State-Changed-When: Wed Nov 14 08:57:39 PST 2001 
State-Changed-Why:  
I've committed your second diff to r1.97 in CVS (should be on the web 
site within 24 hours).  It might be easier if you open another PR for 
your remaining changes.  Thanks for the submission! 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31899 
State-Changed-From-To: analyzed->closed 
State-Changed-By: tom 
State-Changed-When: Fri Nov 16 04:07:33 PST 2001 
State-Changed-Why:  
I've committed the third patch too. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31899 
>Unformatted:
