From owner-freebsd-doc@FreeBSD.ORG Tue Feb 4 08:16:39 2014 Return-Path: Delivered-To: doc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0E19948C; Tue, 4 Feb 2014 08:16:39 +0000 (UTC) Received: from chilled.skew.org (chilled.skew.org [70.90.116.205]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CFAC01FC3; Tue, 4 Feb 2014 08:16:38 +0000 (UTC) Received: from chilled.skew.org (localhost [127.0.0.1]) by chilled.skew.org (8.14.7/8.14.7) with ESMTP id s1480glR006991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Feb 2014 01:00:42 -0700 (MST) (envelope-from mike@chilled.skew.org) Received: (from mike@localhost) by chilled.skew.org (8.14.7/8.14.7/Submit) id s1480fXU006990; Tue, 4 Feb 2014 01:00:41 -0700 (MST) (envelope-from mike) From: Mike Brown Message-Id: <201402040800.s1480fXU006990@chilled.skew.org> Subject: Re: Patch (WIP): New security front matter; new shell redirection section In-Reply-To: <20140202175121.16a0c264.trhodes@FreeBSD.org> To: Tom Rhodes Date: Tue, 4 Feb 2014 01:00:41 -0700 (MST) X-Whoa: whoa. X-Mailer: ELM [version 2.4ME+ PL126 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" Cc: doc@FreeBSD.org X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 08:16:39 -0000 Tom Rhodes wrote: > + Passwords are a necessary evil of the past. In the cases > + they must be used, not only should the password be extremely > + complex, but also use a powerful hash mechanism to protect it. > + At the time of this writing, &os; supports > + DES, MD5, Blowfish, > + SHA256, and SHA512 in > + the crypt() library. The default is > + SHA512 and should not be changed backwards; > + however, some users like to use the Blowfish option. Each > + mechanism, aside from DES, has a unique > + beginning to designate the hash mechanism assigned. For the > + MD5 mechanism, the symbol is a > + $ sign. For the SHA256 or > + SHA512, the symbol is $6$ > + and Blowfish uses $2a$. Any weaker passwords > + should be re-hashed by asking the user to run &man.passwd.1; > + during their next login. I get confused by this. "Any weaker passwords" immediately follows discussion of hash mechanisms, suggesting you actually mean to say "Any passwords protected by weaker hash mechanisms" ... although maybe you were done talking about hash mechanisms and were actually now back to talking about password complexity? Please clarify. Either way, how do I inspect /etc/spwd.db to find out who has weak/not-complex-enough passwords, and what hash mechanism is in use for each user, so I know who needs to run passwd(1)? If this info is already in the chapter, forgive me; I am just going by what's in the diff. Anyway, overall it looks great.