Date: Thu, 6 Feb 2014 07:56:01 -0500 From: Tom Rhodes <trhodes@FreeBSD.org> To: Allan Jude <freebsd@allanjude.com> Cc: freebsd-doc@freebsd.org Subject: Re: Patch (WIP): New security front matter; new shell redirection section Message-ID: <20140206075601.19adb2ab.trhodes@FreeBSD.org> In-Reply-To: <52F2E265.3050602@allanjude.com> References: <20140202175121.16a0c264.trhodes@FreeBSD.org> <201402040800.s1480fXU006990@chilled.skew.org> <20140204075336.3e6291f2.trhodes@FreeBSD.org> <52F2E265.3050602@allanjude.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 05 Feb 2014 20:16:21 -0500 Allan Jude <freebsd@allanjude.com> wrote: > On 2014-02-04 07:53, Tom Rhodes wrote: > > On Tue, 4 Feb 2014 01:00:41 -0700 (MST) > > Mike Brown <mike@skew.org> wrote: > > > >> Tom Rhodes wrote: > >>> + <para>Passwords are a necessary evil of the past. In the cases > >>> + they must be used, not only should the password be extremely > >>> + complex, but also use a powerful hash mechanism to protect it. > >>> + At the time of this writing, &os; supports > >>> + <acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish, > >>> + <acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in > >>> + the <function>crypt()</function> library. The default is > >>> + <acronym>SHA</acronym>512 and should not be changed backwards; > >>> + however, some users like to use the Blowfish option. Each > >>> + mechanism, aside from <acronym>DES</acronym>, has a unique > >>> + beginning to designate the hash mechanism assigned. For the > >>> + <acronym>MD</acronym>5 mechanism, the symbol is a > >>> + <quote>$</quote> sign. For the <acronym>SHA</acronym>256 or > >>> + <acronym>SHA</acronym>512, the symbol is <quote>$6$</quote> > >>> + and Blowfish uses <quote>$2a$</quote>. Any weaker passwords > >>> + should be re-hashed by asking the user to run &man.passwd.1; > >>> + during their next login.</para> > >> > >> I get confused by this. > >> > >> "Any weaker passwords" immediately follows discussion of hash > >> mechanisms, suggesting you actually mean to say "Any passwords > >> protected by weaker hash mechanisms" ... although maybe you > >> were done talking about hash mechanisms and were actually now > >> back to talking about password complexity? Please clarify. > >> > >> Either way, how do I inspect /etc/spwd.db to find out who has > >> weak/not-complex-enough passwords, and what hash mechanism is in use > >> for each user, so I know who needs to run passwd(1)? > >> > >> If this info is already in the chapter, forgive me; I am just > >> going by what's in the diff. > >> > >> Anyway, overall it looks great. > > > > Thanks! > > > > You actually did remind me that, with the new version I > > just put in, I added a bunch of sections but completely > > dropped the ball on checking for weak passwords! > > > > Though, the new chapter has sudo, rkhunter, and setting > > up an mtree(8) based IDS and more tunables. I'll try > > to work up an additional bit of cracking passwords and > > the like sometime this week. Cheers, > > > > It may be worth noting that bcrypt (the blowfish based hashing > algorithm) is not the same thing as blowfish the symmetric encryption > system. It might just be best to call it bcrypt instead of blowfish. Now that is very important, I don't want people to get the wrong idea and definitely know the difference. Maybe I should reword and rework parts of this particular section to clear up any possible confusion. > > You might also mention the 'freebsd-update IDS' feature, which compares > the SHA256 hashes of the base files against the know good values for a > system upgraded with freebsd-update. Good point - I actually had that in my mind on the train, but when I began working on the IDS section, only mtree and aide came to mind. I'll have to mention that now. -- Tom Rhodes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140206075601.19adb2ab.trhodes>