On Wed, 05 Feb 2014 20:16:21 -0500 Allan Jude <free...@allanjude.com> wrote:
> On 2014-02-04 07:53, Tom Rhodes wrote: > > On Tue, 4 Feb 2014 01:00:41 -0700 (MST) > > Mike Brown <m...@skew.org> wrote: > > > >> Tom Rhodes wrote: > >>> + <para>Passwords are a necessary evil of the past. In the cases > >>> + they must be used, not only should the password be extremely > >>> + complex, but also use a powerful hash mechanism to protect it. > >>> + At the time of this writing, &os; supports > >>> + <acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish, > >>> + <acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in > >>> + the <function>crypt()</function> library. The default is > >>> + <acronym>SHA</acronym>512 and should not be changed backwards; > >>> + however, some users like to use the Blowfish option. Each > >>> + mechanism, aside from <acronym>DES</acronym>, has a unique > >>> + beginning to designate the hash mechanism assigned. For the > >>> + <acronym>MD</acronym>5 mechanism, the symbol is a > >>> + <quote>$</quote> sign. For the <acronym>SHA</acronym>256 or > >>> + <acronym>SHA</acronym>512, the symbol is <quote>$6$</quote> > >>> + and Blowfish uses <quote>$2a$</quote>. Any weaker passwords > >>> + should be re-hashed by asking the user to run &man.passwd.1; > >>> + during their next login.</para> > >> > >> I get confused by this. > >> > >> "Any weaker passwords" immediately follows discussion of hash > >> mechanisms, suggesting you actually mean to say "Any passwords > >> protected by weaker hash mechanisms" ... although maybe you > >> were done talking about hash mechanisms and were actually now > >> back to talking about password complexity? Please clarify. > >> > >> Either way, how do I inspect /etc/spwd.db to find out who has > >> weak/not-complex-enough passwords, and what hash mechanism is in use > >> for each user, so I know who needs to run passwd(1)? > >> > >> If this info is already in the chapter, forgive me; I am just > >> going by what's in the diff. > >> > >> Anyway, overall it looks great. > > > > Thanks! > > > > You actually did remind me that, with the new version I > > just put in, I added a bunch of sections but completely > > dropped the ball on checking for weak passwords! > > > > Though, the new chapter has sudo, rkhunter, and setting > > up an mtree(8) based IDS and more tunables. I'll try > > to work up an additional bit of cracking passwords and > > the like sometime this week. Cheers, > > > > It may be worth noting that bcrypt (the blowfish based hashing > algorithm) is not the same thing as blowfish the symmetric encryption > system. It might just be best to call it bcrypt instead of blowfish. Now that is very important, I don't want people to get the wrong idea and definitely know the difference. Maybe I should reword and rework parts of this particular section to clear up any possible confusion. > > You might also mention the 'freebsd-update IDS' feature, which compares > the SHA256 hashes of the base files against the know good values for a > system upgraded with freebsd-update. Good point - I actually had that in my mind on the train, but when I began working on the IDS section, only mtree and aide came to mind. I'll have to mention that now. -- Tom Rhodes _______________________________________________ freebsd-doc@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-doc To unsubscribe, send any mail to "freebsd-doc-unsubscr...@freebsd.org"
