On 2014-02-04 07:53, Tom Rhodes wrote: > On Tue, 4 Feb 2014 01:00:41 -0700 (MST) > Mike Brown <m...@skew.org> wrote: > >> Tom Rhodes wrote: >>> + <para>Passwords are a necessary evil of the past. In the cases >>> + they must be used, not only should the password be extremely >>> + complex, but also use a powerful hash mechanism to protect it. >>> + At the time of this writing, &os; supports >>> + <acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish, >>> + <acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in >>> + the <function>crypt()</function> library. The default is >>> + <acronym>SHA</acronym>512 and should not be changed backwards; >>> + however, some users like to use the Blowfish option. Each >>> + mechanism, aside from <acronym>DES</acronym>, has a unique >>> + beginning to designate the hash mechanism assigned. For the >>> + <acronym>MD</acronym>5 mechanism, the symbol is a >>> + <quote>$</quote> sign. For the <acronym>SHA</acronym>256 or >>> + <acronym>SHA</acronym>512, the symbol is <quote>$6$</quote> >>> + and Blowfish uses <quote>$2a$</quote>. Any weaker passwords >>> + should be re-hashed by asking the user to run &man.passwd.1; >>> + during their next login.</para> >> >> I get confused by this. >> >> "Any weaker passwords" immediately follows discussion of hash >> mechanisms, suggesting you actually mean to say "Any passwords >> protected by weaker hash mechanisms" ... although maybe you >> were done talking about hash mechanisms and were actually now >> back to talking about password complexity? Please clarify. >> >> Either way, how do I inspect /etc/spwd.db to find out who has >> weak/not-complex-enough passwords, and what hash mechanism is in use >> for each user, so I know who needs to run passwd(1)? >> >> If this info is already in the chapter, forgive me; I am just >> going by what's in the diff. >> >> Anyway, overall it looks great. > > Thanks! > > You actually did remind me that, with the new version I > just put in, I added a bunch of sections but completely > dropped the ball on checking for weak passwords! > > Though, the new chapter has sudo, rkhunter, and setting > up an mtree(8) based IDS and more tunables. I'll try > to work up an additional bit of cracking passwords and > the like sometime this week. Cheers, >
It may be worth noting that bcrypt (the blowfish based hashing algorithm) is not the same thing as blowfish the symmetric encryption system. It might just be best to call it bcrypt instead of blowfish. You might also mention the 'freebsd-update IDS' feature, which compares the SHA256 hashes of the base files against the know good values for a system upgraded with freebsd-update. -- Allan Jude
signature.asc
Description: OpenPGP digital signature
