Patch (WIP): New security front matter; new shell redirection section

Allan Jude freebsd at allanjude.com
Thu Feb 6 01:16:38 UTC 2014


On 2014-02-04 07:53, Tom Rhodes wrote:
> On Tue, 4 Feb 2014 01:00:41 -0700 (MST)
> Mike Brown <mike at skew.org> wrote:
> 
>> Tom Rhodes wrote:
>>> +      <para>Passwords are a necessary evil of the past.  In the cases
>>> +	they must be used, not only should the password be extremely
>>> +	complex, but also use a powerful hash mechanism to protect it.
>>> +	At the time of this writing, &os; supports
>>> +	<acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish,
>>> +	<acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in
>>> +	the <function>crypt()</function> library.  The default is
>>> +	<acronym>SHA</acronym>512 and should not be changed backwards;
>>> +	however, some users like to use the Blowfish option.  Each
>>> +	mechanism, aside from <acronym>DES</acronym>, has a unique
>>> +	beginning to designate the hash mechanism assigned.  For the
>>> +	<acronym>MD</acronym>5 mechanism, the symbol is a
>>> +	<quote>$</quote> sign.  For the <acronym>SHA</acronym>256 or
>>> +	<acronym>SHA</acronym>512, the symbol is <quote>$6$</quote>
>>> +	and Blowfish uses <quote>$2a$</quote>.  Any weaker passwords
>>> +	should be re-hashed by asking the user to run &man.passwd.1;
>>> +	during their next login.</para>
>>
>> I get confused by this.
>>
>> "Any weaker passwords" immediately follows discussion of hash
>> mechanisms, suggesting you actually mean to say "Any passwords
>> protected by weaker hash mechanisms" ... although maybe you
>> were done talking about hash mechanisms and were actually now
>> back to talking about password complexity? Please clarify.
>>
>> Either way, how do I inspect /etc/spwd.db to find out who has 
>> weak/not-complex-enough passwords, and what hash mechanism is in use
>> for each user, so I know who needs to run passwd(1)?
>>
>> If this info is already in the chapter, forgive me; I am just
>> going by what's in the diff.
>>
>> Anyway, overall it looks great.
> 
> Thanks!
> 
> You actually did remind me that, with the new version I
> just put in, I added a bunch of sections but completely
> dropped the ball on checking for weak passwords!
> 
> Though, the new chapter has sudo, rkhunter, and setting
> up an mtree(8) based IDS and more tunables.  I'll try
> to work up an additional bit of cracking passwords and
> the like sometime this week.  Cheers,
> 

It may be worth noting that bcrypt (the blowfish based hashing
algorithm) is not the same thing as blowfish the symmetric encryption
system. It might just be best to call it bcrypt instead of blowfish.

You might also mention the 'freebsd-update IDS' feature, which compares
the SHA256 hashes of the base files against the know good values for a
system upgraded with freebsd-update.

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20140205/4c2aca7a/attachment.sig>


More information about the freebsd-doc mailing list