Blowfish passwords on SuSE Linux
               ================================

SuSE Linux is able to handle Blowfish passwords. With the Blowfish 
algorithmn, passwords can be longer than 8 characters (up to 72
characters). The blowfish encryption is not part of the default
crypt() implementation. You need special glibc patches and special
PAM modules for this. So be careful, if you enable this feature. If
you export the passwords with NIS/NIS+ or something else or make a
glibc update, it could be that you are not longer able to login.


How to enable blowfish encrypted passwords:
-------------------------------------------

You need to add the option "blowfish" to the "password" rules in
the PAM config files. You can find the config files in /etc/pam.d.

For example, you need to change the following lines in /etc/pam.d/passwd:

password required       /lib/security/pam_pwcheck.so   \
		     nullok
password required       /lib/security/pam_unix2.so      \
                     nullok use_first_pass use_authtok

to:

password required       /lib/security/pam_pwcheck.so   \
		     nullok blowfish
password required       /lib/security/pam_unix2.so      \
                     nullok blowfish use_first_pass use_authtok

This is necessary for every program which is able to change the
user's password. At the moment these are at least: /etc/pam.d/login,
/etc/pam.d/passwd, /etc/pam.d/sshd and /etc/pam.d/rlogin.

You could also use the security module from YaST2 to change
the PAM configuration to generate blowfish encrypted passwords.

If you use NIS, you need to replace /usr/bin/yppasswd with a
link to /usr/bin/passwd:
# cd /usr/bin
# mv yppasswd yppasswd.old
# ln -sf passwd yppasswd


The password will be converted into blowfish one after the next
password change.