crypt(3) style password support for lua-loader
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 19 Aug 2023 22:03:38 UTC
I sent this earlier from the wrong account and either -hackers bounced it, or -hackers is down, apologies if you get a dupe on this, but I also included a reviews.freebsd.org link this time) Something that has always bothered me is the if you enable boot passwords with loader(8) they are stored *plaintext* in the loader.conf, so you need to make sure that file is root-only access and is just poor security in general. Well, I decided to fix that. See attached, also at: https://reviews.freebsd.org/D41509 It is lua only, I evaluated doing a forth version to maintain parity with forth-loader, but that exceeds my available time at this point and I'd rather get this out there. Includes loader.conf.5 documentation update. This is tested and working in boot environment. (... why doesn't lua-loader have math.*?); additionally crypt.lua has commented-out test suite and validates against all crypt-sha256.c and crypt-sha512.c test vectors. The only real gotcha with this is that crypt(3) style passwords use '$' in them and that must be escaped in loader.conf(5). I debated switching this to ! or another character but decided to stick with $ as no matter what you will need to edit between strict crypt(3) format and what is placed in the config file, and this makes testing easier if the formats are the strictly identical. That is even if I changed it to not need escaping, you'd still need to edit it anyway, so if you still have to edit, might as well keep the underlying format the same. This gotcha is documented in the updated loader.conf(5) Thanks.