From owner-freebsd-doc@FreeBSD.ORG Thu Feb 6 01:16:38 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 795FF704 for ; Thu, 6 Feb 2014 01:16:38 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 342B71094 for ; Thu, 6 Feb 2014 01:16:37 +0000 (UTC) Received: from [10.1.1.1] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allan.jude@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id C74D555F71 for ; Thu, 6 Feb 2014 01:16:28 +0000 (UTC) Message-ID: <52F2E265.3050602@allanjude.com> Date: Wed, 05 Feb 2014 20:16:21 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-doc@freebsd.org Subject: Re: Patch (WIP): New security front matter; new shell redirection section References: <20140202175121.16a0c264.trhodes@FreeBSD.org> <201402040800.s1480fXU006990@chilled.skew.org> <20140204075336.3e6291f2.trhodes@FreeBSD.org> In-Reply-To: <20140204075336.3e6291f2.trhodes@FreeBSD.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MggfRIBWbATnLD7UFvWtCoqtjO3OnGiHE" X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 01:16:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MggfRIBWbATnLD7UFvWtCoqtjO3OnGiHE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-02-04 07:53, Tom Rhodes wrote: > On Tue, 4 Feb 2014 01:00:41 -0700 (MST) > Mike Brown wrote: >=20 >> Tom Rhodes wrote: >>> + Passwords are a necessary evil of the past. In the case= s >>> + they must be used, not only should the password be extremely >>> + complex, but also use a powerful hash mechanism to protect it. >>> + At the time of this writing, &os; supports >>> + DES, MD5, Blowfish, >>> + SHA256, and SHA512 in >>> + the crypt() library. The default is >>> + SHA512 and should not be changed backwards; >>> + however, some users like to use the Blowfish option. Each >>> + mechanism, aside from DES, has a unique >>> + beginning to designate the hash mechanism assigned. For the >>> + MD5 mechanism, the symbol is a >>> + $ sign. For the SHA256 or >>> + SHA512, the symbol is $6$ >>> + and Blowfish uses $2a$. Any weaker passwords >>> + should be re-hashed by asking the user to run &man.passwd.1; >>> + during their next login. >> >> I get confused by this. >> >> "Any weaker passwords" immediately follows discussion of hash >> mechanisms, suggesting you actually mean to say "Any passwords >> protected by weaker hash mechanisms" ... although maybe you >> were done talking about hash mechanisms and were actually now >> back to talking about password complexity? Please clarify. >> >> Either way, how do I inspect /etc/spwd.db to find out who has=20 >> weak/not-complex-enough passwords, and what hash mechanism is in use >> for each user, so I know who needs to run passwd(1)? >> >> If this info is already in the chapter, forgive me; I am just >> going by what's in the diff. >> >> Anyway, overall it looks great. >=20 > Thanks! >=20 > You actually did remind me that, with the new version I > just put in, I added a bunch of sections but completely > dropped the ball on checking for weak passwords! >=20 > Though, the new chapter has sudo, rkhunter, and setting > up an mtree(8) based IDS and more tunables. I'll try > to work up an additional bit of cracking passwords and > the like sometime this week. Cheers, >=20 It may be worth noting that bcrypt (the blowfish based hashing algorithm) is not the same thing as blowfish the symmetric encryption system. It might just be best to call it bcrypt instead of blowfish. You might also mention the 'freebsd-update IDS' feature, which compares the SHA256 hashes of the base files against the know good values for a system upgraded with freebsd-update. --=20 Allan Jude --MggfRIBWbATnLD7UFvWtCoqtjO3OnGiHE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS8uJxAAoJEJrBFpNRJZKfHD4P/2xi3jQAK+dyFFhjb6Ciqt2W AuZJryruD3OoPdQcJAkVjlJvFzzJxpyUGfc0cczJQN18pPa9bXRLRFnH01NgJkXn xzfJ28N9BVRK0Fs69zzF4SgCAj3dkjNHzV7N135gNUE9nmiXh0sqk8XMSkcvEcKN x+M/hQkCVRppf+DHcUckCPTEzKQGTeg3XlPJbSiaiK0l6qZpnjo1ZcF3d/6oqH4P eFAyBCAglJi1QS4zwpfmhNVLhMy18IFhtW+ajtw2+/hZXZSbtMoaadMHn49+Antq rI0G/V4ZWKOCasXejeZZQrqTrcAuDSssd0/HmMikLMPFl8MqVyhwlUO5F75/nuXS JcXnK9QZIlHvUW/0b6xdJcr/Fw6rWlPWhAlGT8jJA6xFQaFIu5A64iOSCOyUa0wM gRHjfYPUxz6jgqUtLdE2BgFzFCHXaib2/6ugJLUrAjR2OMR3Erjovaq2vuRu20hZ G6mdRXFHocD+fDHFHxahdOMzy8BUmdIWOP+utaNktKOxt8cm/ekUD8Rac0lagZZV 3htzaS0G4FoUJoZhqMyRK4N3s28UqtWXMAcRRIpdvI2/zLMAiCk4PGjZkjK5Y7Wg 0PjHtXSPhzMteV8FL7D8wyeM3agblG9Wq6hjlIV41FqNlDOyRtj9f3tR3omCV703 0U9CM1muwY9tIy8lOxpf =8nGp -----END PGP SIGNATURE----- --MggfRIBWbATnLD7UFvWtCoqtjO3OnGiHE--