Patch (WIP): New security front matter; new shell redirection section

Tom Rhodes trhodes at FreeBSD.org
Thu Feb 6 12:56:15 UTC 2014 

On Wed, 05 Feb 2014 20:16:21 -0500
Allan Jude <freebsd at allanjude.com> wrote:

> On 2014-02-04 07:53, Tom Rhodes wrote:
> > On Tue, 4 Feb 2014 01:00:41 -0700 (MST)
> > Mike Brown <mike at skew.org> wrote:
> > 
> >> Tom Rhodes wrote:
> >>> +      <para>Passwords are a necessary evil of the past.  In the cases
> >>> +	they must be used, not only should the password be extremely
> >>> +	complex, but also use a powerful hash mechanism to protect it.
> >>> +	At the time of this writing, &os; supports
> >>> +	<acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish,
> >>> +	<acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in
> >>> +	the <function>crypt()</function> library.  The default is
> >>> +	<acronym>SHA</acronym>512 and should not be changed backwards;
> >>> +	however, some users like to use the Blowfish option.  Each
> >>> +	mechanism, aside from <acronym>DES</acronym>, has a unique
> >>> +	beginning to designate the hash mechanism assigned.  For the
> >>> +	<acronym>MD</acronym>5 mechanism, the symbol is a
> >>> +	<quote>$</quote> sign.  For the <acronym>SHA</acronym>256 or
> >>> +	<acronym>SHA</acronym>512, the symbol is <quote>$6$</quote>
> >>> +	and Blowfish uses <quote>$2a$</quote>.  Any weaker passwords
> >>> +	should be re-hashed by asking the user to run &man.passwd.1;
> >>> +	during their next login.</para>
> >>
> >> I get confused by this.
> >>
> >> "Any weaker passwords" immediately follows discussion of hash
> >> mechanisms, suggesting you actually mean to say "Any passwords
> >> protected by weaker hash mechanisms" ... although maybe you
> >> were done talking about hash mechanisms and were actually now
> >> back to talking about password complexity? Please clarify.
> >>
> >> Either way, how do I inspect /etc/spwd.db to find out who has 
> >> weak/not-complex-enough passwords, and what hash mechanism is in use
> >> for each user, so I know who needs to run passwd(1)?
> >>
> >> If this info is already in the chapter, forgive me; I am just
> >> going by what's in the diff.
> >>
> >> Anyway, overall it looks great.
> > 
> > Thanks!
> > 
> > You actually did remind me that, with the new version I
> > just put in, I added a bunch of sections but completely
> > dropped the ball on checking for weak passwords!
> > 
> > Though, the new chapter has sudo, rkhunter, and setting
> > up an mtree(8) based IDS and more tunables.  I'll try
> > to work up an additional bit of cracking passwords and
> > the like sometime this week.  Cheers,
> > 
> 
> It may be worth noting that bcrypt (the blowfish based hashing
> algorithm) is not the same thing as blowfish the symmetric encryption
> system. It might just be best to call it bcrypt instead of blowfish.

Now that is very important, I don't want people to get the wrong
idea and definitely know the difference.  Maybe I should reword
and rework parts of this particular section to clear up any possible
confusion.

> 
> You might also mention the 'freebsd-update IDS' feature, which compares
> the SHA256 hashes of the base files against the know good values for a
> system upgraded with freebsd-update.

Good point - I actually had that in my mind on the train, but when
I began working on the IDS section, only mtree and aide came to
mind.  I'll have to mention that now.

-- 
Tom Rhodes

More information about the freebsd-doc mailing list