Syslinux - Jun 2011 - Requesting the removal of md5pass

Hi,

As a packager of syslinux, I would like to get rid of the dependency of 
syslinux on Crypt::PasswdMD5, as it does not ship with RHEL/CentOS by 
default and therefor is an additional hurdle for people on those 
distributions to use a more recent syslinux.

(I am also involved with the Rear project that relies on a more recent 
syslinux, and in various corporate environments need a recent syslinux.
With Rear the recent syslinux is needed on every system.)

The md5pass tool does not offer anything that is not possible using 
openssl, eg:

 	openssl passwd -1 <password>
or
 	openssl passwd -1 -salt <string> <password>

So the tool could easily be replaced by a shell-script, or removed 
entirely.

Furthermore, simply running md5pass provides an MD5-based password, with 
no clue what's the cleartext equivalent. Not sure if this was intentional 
(I don't see the point myself) but it's quite confusing since the tool
has
no help and people wouldn't at first glance know that the first argument 
should in fact be a cleartext password (and the second optionall the 
salt).

Can't we just replace this with a simple shell-script using openssl or get 
rid of it ? Or does it serve a greater purpose ? :)

PS1 The only reference to md5pass is in the syslinux documentation
     somewhere.

PS2 For sha1pass there doesn't seem to be an equivalent in openssl, but it
     seems very useful to have that added to openssl as well (-4 ?).

Kind regards,
-- 
-- dag wieers, dag at wieers.com, http://dag.wieers.com/
-- dagit linux solutions, info at dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

On 06/24/2011 08:41 AM, Dag Wieers wrote:
> 
> The md5pass tool does not offer anything that is not possible using 
> openssl, eg:
> 
>  	openssl passwd -1 <password>
> or
>  	openssl passwd -1 -salt <string> <password>
> 
> So the tool could easily be replaced by a shell-script, or removed 
> entirely.
> 
Makes sense, although now it depends on openssl ;)
> Furthermore, simply running md5pass provides an MD5-based password, with 
> no clue what's the cleartext equivalent. Not sure if this was
intentional
> (I don't see the point myself) but it's quite confusing since the
tool has
> no help and people wouldn't at first glance know that the first
argument
> should in fact be a cleartext password (and the second optionall the 
> salt).
Yes, it should give a usage error instead.
> Can't we just replace this with a simple shell-script using openssl or
get
> rid of it ? Or does it serve a greater purpose ? :)
Not really.  Shell script would be fine.

Another alternative -- which almost certainly would be the best -- would
be to write host-side C wrappers around the crypto algorithms we already
have.  That way we can get rid of any external dependencies.
> PS1 The only reference to md5pass is in the syslinux documentation
>      somewhere.
> 
> PS2 For sha1pass there doesn't seem to be an equivalent in openssl, but
it
>      seems very useful to have that added to openssl as well (-4 ?).
The particular SHA-1 password implementation in Syslinux is
Syslinux-specific and probably pretty poor.

	-hpa