OT: linux dists and such (Re: Off Topic Telnet problems)

[Fairlight]

On Tue, Mar 17, 2009 at 04:08:46PM -0700, Bill Campbell, the prominent pundit,
witicized:
> 
> We are talking OpenServer here so sanity isn't in question.

If I hadn't been watching Alias tonight, that would have actually been my
best laugh of the day.  :)  Good one!

> Be aware that major Linux vendors (e.g. Red Hat/CentOS) do not
> support SHA1 passwords in their standard installs, which can be a
> major PITA if moving from SuSE boxes that support it.  We
> generally use MD5 as it is reasonably secure, and is supported by
> any Linux using the normal glibc crypt extensions.  Naturally I
> found out about this the hard way.

You know, I totally misspoke.  Kind of understandable if you know what I'd
been working on lately. :) I was recently working on some mail syncing
software, and I was using MD5 initially to track checksums to hash files
on a combination of message headers that should always be able to uniquely
identify a message (in theory, and 99.9999%+ in practise, barring forged
spam).  I had started off using Digest::MD5 for my checksums.  Partway
through, I ran into issues where I was seeing duplicates and didn't
think I should have been.  I was worried MD5 was broken.  I switched to
Digest::SHA1 and it -still- gave me duplicates when tracking.  Turns out,
forged spam -was- using the same Message-ID.  That's when I added in the
Date: and all the Received: headers, figuring there was pretty much no way
in hell you should ever get 100% matches across that entire subselection of
headers.  I never reverted back from SHA1 to MD5, as I had no real reason
to.  They're functionally equivalent for my use in this context.

So the last thing I used was SHA1 in that context.  As such, I had that
fresh in my head. *sigh*

When talking earlier, I just had SHA1 on the mind, and forgot that MD5
was the most common newly introduced standard for the password field
and reversed them in my mind because I've worked with both lately.  Not
explicitly for passwords, but in general.  You're right, of course; MD5
passwords are in use on RHEL, not SHA1, and SuSE did fairly recently
introduce SHA1 for authentication.  I think just in the 10.x series, yes?
Does FBSD support SHA1 yet?  Not that I've seen a reason to go past MD5.
Different algorithms, but I thought they were both relatively equivalent in
terms of the results being unique, etc.  Fair assumption?

What really annoys me is that SuSE keeps changing what they think the
default encryption should be at installation.  I really feel it should have
stayed at MD5 once they implemented MD5.  There are security implications
to leaving it at DES, or I'd have said they should have defaulted to a
long-standing standard and let the admin check.  But I'm sick of them
putting in something new and just assuming that people are going to catch
that they've decided to switch horses again.

Actually, Novell has royally ticked me off in the last 2.5 years.  SLES10
has been a royal PITA.  If I had to make a call, I'd just go with OpenSuSE
and stick with that, to be honest.  An investment in Novell is -not- worth
it unless you flat-out have no linux admin at all.  Licensing the
professional versions is pretty much useless.  You get NO support from them
past installation, even getting them to talk to you semi-officially about a
bug that -their own service pack introduces- will cost you $675 unless you
have a contract with them, and you get to deal with ZMD and all that cruft.
Plus the lack of SRPMs, and a dependance on a single point of distribution
instead of mirrors that you can hop around.  Novell's done no good for
SuSE, IMNSHO.

Did I mention the part where they don't even sell their own (*#%ing
licenses anymore?  No, seriously!  A client had a license expire.  Couldn't
get updates, and I checked the errors and it doesn't outright say that your
license has expired.  (Neither does RHEL, actually...up2date just craps out
cryptically as well.)  Once you figure this out, you go to Novell, call
them, and they -send you to a reseller- to purchase a license.  A process
which takes 3-7 days, for some unholy reason.  This is arguably the worst
service I've seen since Linux dists started going commercial.  They've
actually ticked me off more than Red Hat, and that took some doing.  I
still don't trust Red Hat, though; anyone that can screw up perl enough
that it segv's on either int(), sort(), or return(), have a copy of the
script that will induce the segv, and not bother to fix their commercial
product for three years...well, I really don't trust them all that much.

Next time around, I'm pushing for a non-commercial distribution.  Probably
OpenSuSE.  Fedora is too rapid-fire chaseware.  I don't like the political
agenda and philosophizing that Ubuntu brings to the plate.  Debian is so
far behind the curve, I don't even consider it modern.  CentOS may be a
contender but I'd have to look at it first.

I guess I'd rather just stick with OpenSuSE.  It's still a pretty well
designed product until Novell gets their meathooks on it.

mark->
-- 
"I'm not subtle. I'm not pretty, and I'll piss off a lot of people along
the way. But I'll get the job done" --Captain Matthew Gideon, "Crusade"