[syslinux] Requesting the removal of md5pass
H. Peter Anvin
hpa at zytor.com
Fri Jun 24 09:21:53 PDT 2011
On 06/24/2011 08:41 AM, Dag Wieers wrote:
>
> The md5pass tool does not offer anything that is not possible using
> openssl, eg:
>
> openssl passwd -1 <password>
> or
> openssl passwd -1 -salt <string> <password>
>
> So the tool could easily be replaced by a shell-script, or removed
> entirely.
>
Makes sense, although now it depends on openssl ;)
> Furthermore, simply running md5pass provides an MD5-based password, with
> no clue what's the cleartext equivalent. Not sure if this was intentional
> (I don't see the point myself) but it's quite confusing since the tool has
> no help and people wouldn't at first glance know that the first argument
> should in fact be a cleartext password (and the second optionall the
> salt).
Yes, it should give a usage error instead.
> Can't we just replace this with a simple shell-script using openssl or get
> rid of it ? Or does it serve a greater purpose ? :)
Not really. Shell script would be fine.
Another alternative -- which almost certainly would be the best -- would
be to write host-side C wrappers around the crypto algorithms we already
have. That way we can get rid of any external dependencies.
> PS1 The only reference to md5pass is in the syslinux documentation
> somewhere.
>
> PS2 For sha1pass there doesn't seem to be an equivalent in openssl, but it
> seems very useful to have that added to openssl as well (-4 ?).
The particular SHA-1 password implementation in Syslinux is
Syslinux-specific and probably pretty poor.
-hpa
More information about the Syslinux
mailing list