On 2017-03-23 05:35 PM, jason matthews wrote:
On 3/23/17 4:49 PM, Timothy Coalson wrote:
When you are done, your hash should look something like this:
jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/
8zWdCqO:17248::::::
If someone can crack this hash I will buy you a beer.
There's some logic to why the shadow file isn't world-readable. You
might
want to reset that password soon anyway (if you haven't already), as the
NSA may decide not to ask for that beer;)
First let me assure you, the NSA is not coming in with a password.
They might come in through the Intel ME or perhaps through the service
processor (Apple recently dumped Supermicro as a vendor due to malware
embedded in their service processor firmware updates) but they are not
coming with a password. They may even come in with one of highly
bloated BIOS's. There are easier ways than to try break a 39 character
password blowfish hashed password with sixteen rounds.
Hashes used to be left out in the open. The real world circumstances
behind concealing hashes and the creation of /etc/shadow date back to
the 70's where unix crypt was pretty much unbreakable with the compute
power available at the time. When the late 80s and early 90s rolled
around suddenly it was possible to calculate hashes fast enough to
crack dictionary words. We are well beyond that now. I have three
GTX1080 capable of doing 8+ billion hashes per second each for SHA1
(assuming a small number of target hashes). The name of the game is to
make hashing take a long long time. Since it takes seven CPU seconds
for password(1) on an L5630 to compute just one iteration of my
thirty-nine character password I am going to bet that it is pretty
safe out in the open, unless someone finds a new attack vector against
blowfish. In this event, they'll probably get more than a beer from
Bruce. The best case scenario is if I only used lower case which means
the number of possibilities is limited to 26^39 or (according to echo
26^39 |bc) 15274273784216769021564085930704478424313742483024510976
possibilities. Each possibility takes seven seconds. I think my beer
money is safe.
While the hash is real, it was for demonstration purposes only. I dont
actually use that in a shadow file. Still, show me the plain text and
the beer is yours.
If we are worried about security.....
Create a separate user that has no shell.
Give that user just the necessary zfs permissions.
Create a batch file that the user can execute, set the zfs recv command
as the only command that can be remotely executed in the batch file.
make it so that user can only login from a specific IP address.
set no-port-forwarding,no-X11-forwarding,no-agent-forwarding.
Geoff
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
