On Fri, 08 Jun 2012 07:51:55 -0500, Dag-Erling Smørgrav <d...@des.no> wrote:
We still have MD5 as our default password hash, even though known-hash
attacks against MD5 are relatively easy these days. We've supported
SHA256 and SHA512 for many years now, so how about making SHA512 the
default instead of MD5, like on most Linux distributions?
Index: etc/login.conf
===================================================================
--- etc/login.conf (revision 236616)
+++ etc/login.conf (working copy)
@@ -23,7 +23,7 @@
# AND SEMANTICS'' section of getcap(3) for more escape sequences).
default:\
- :passwd_format=md5:\
+ :passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
DES
I strongly support this -- using either SHA-2 or Blowfish would be a great
step forward. You'll also want to change the defuault for auth.conf so
adduser picks it up.
#
# $FreeBSD: releng/9.0/etc/auth.conf 118103 2003-07-28 02:28:51Z rwatson $
#
# Configure some authentication-related defaults. This file is being
# gradually subsumed by user class and PAM configuration.
#
# crypt_default = md5 des
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
