From owner-freebsd-security@FreeBSD.ORG Fri Jun 8 13:00:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D7FF106566B for ; Fri, 8 Jun 2012 13:00:32 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [217.69.76.211]) by mx1.freebsd.org (Postfix) with ESMTP id 2DDE08FC1D for ; Fri, 8 Jun 2012 13:00:31 +0000 (UTC) Received: from mail.0x20.net (mail.0x20.net [217.69.76.211]) by mail.0x20.net (Postfix) with ESMTP id 2FE256A601C for ; Fri, 8 Jun 2012 15:00:31 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.0x20.net Received: from mail.0x20.net ([217.69.76.211]) by mail.0x20.net (mail.0x20.net [217.69.76.211]) (amavisd-new, port 10024) with ESMTP id Px8tP-sxW71J for ; Fri, 8 Jun 2012 15:00:31 +0200 (CEST) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id DDCF46A6006 for ; Fri, 8 Jun 2012 15:00:30 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.5/8.14.5) with ESMTP id q58D0UFH019228 for ; Fri, 8 Jun 2012 15:00:30 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.5/8.14.5/Submit) id q58D0Up2017988 for freebsd-security@freebsd.org; Fri, 8 Jun 2012 15:00:30 +0200 (CEST) (envelope-from lars) Date: Fri, 8 Jun 2012 15:00:30 +0200 From: Lars Engels To: freebsd-security@freebsd.org Message-ID: <20120608130030.GI5592@e-new.0x20.net> References: <86r4tqotjo.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RxUQJxD9bT7Ys92M" Content-Disposition: inline In-Reply-To: <86r4tqotjo.fsf@ds4.des.no> X-Editor: VIM - Vi IMproved 7.3 X-Operation-System: FreeBSD 8.3-RELEASE-p2 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Fri, 08 Jun 2012 15:19:04 +0000 Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 13:00:32 -0000 --RxUQJxD9bT7Ys92M Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 08, 2012 at 02:51:55PM +0200, Dag-Erling Sm=C3=B8rgrav wrote: > We still have MD5 as our default password hash, even though known-hash > attacks against MD5 are relatively easy these days. We've supported > SHA256 and SHA512 for many years now, so how about making SHA512 the > default instead of MD5, like on most Linux distributions? >=20 > Index: etc/login.conf > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- etc/login.conf (revision 236616) > +++ etc/login.conf (working copy) > @@ -23,7 +23,7 @@ > # AND SEMANTICS'' section of getcap(3) for more escape sequences). >=20 > default:\ > - :passwd_format=3Dmd5:\ > + :passwd_format=3Dsha512:\ > :copyright=3D/etc/COPYRIGHT:\ > :welcome=3D/etc/motd:\ > :setenv=3DMAIL=3D/var/mail/$,BLOCKSIZE=3DK,FTP_PASSIVE_MODE=3DYES= :\ >=20 +1 --RxUQJxD9bT7Ys92M Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/R924ACgkQKc512sD3afiqJACfflg3ODaEBe71+X4LS46fkzz+ gdMAn3hEL8Hb7Q30pviOjtJqPmjqEaaA =OxAF -----END PGP SIGNATURE----- --RxUQJxD9bT7Ys92M--