[syslinux] Requesting the removal of md5pass

H. Peter Anvin hpa at zytor.com
Fri Jun 24 09:21:53 PDT 2011


On 06/24/2011 08:41 AM, Dag Wieers wrote:
> 
> The md5pass tool does not offer anything that is not possible using 
> openssl, eg:
> 
>  	openssl passwd -1 <password>
> or
>  	openssl passwd -1 -salt <string> <password>
> 
> So the tool could easily be replaced by a shell-script, or removed 
> entirely.
> 

Makes sense, although now it depends on openssl ;)

> Furthermore, simply running md5pass provides an MD5-based password, with 
> no clue what's the cleartext equivalent. Not sure if this was intentional 
> (I don't see the point myself) but it's quite confusing since the tool has 
> no help and people wouldn't at first glance know that the first argument 
> should in fact be a cleartext password (and the second optionall the 
> salt).

Yes, it should give a usage error instead.

> Can't we just replace this with a simple shell-script using openssl or get 
> rid of it ? Or does it serve a greater purpose ? :)

Not really.  Shell script would be fine.

Another alternative -- which almost certainly would be the best -- would
be to write host-side C wrappers around the crypto algorithms we already
have.  That way we can get rid of any external dependencies.

> PS1 The only reference to md5pass is in the syslinux documentation
>      somewhere.
> 
> PS2 For sha1pass there doesn't seem to be an equivalent in openssl, but it
>      seems very useful to have that added to openssl as well (-4 ?).

The particular SHA-1 password implementation in Syslinux is
Syslinux-specific and probably pretty poor.

	-hpa




More information about the Syslinux mailing list