From owner-freebsd-doc@FreeBSD.ORG Tue Feb 4 12:53:45 2014 Return-Path: Delivered-To: doc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F291C63 for ; Tue, 4 Feb 2014 12:53:45 +0000 (UTC) Received: from homiemail-a89.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by mx1.freebsd.org (Postfix) with ESMTP id 12A7E192A for ; Tue, 4 Feb 2014 12:53:44 +0000 (UTC) Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 749BC318071; Tue, 4 Feb 2014 04:53:38 -0800 (PST) Received: from dreadnaught (ip68-100-185-59.dc.dc.cox.net [68.100.185.59]) (Authenticated sender: trhodes@fbsdsecure.org) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPA id 1DCAC318064; Tue, 4 Feb 2014 04:53:38 -0800 (PST) Date: Tue, 4 Feb 2014 07:53:36 -0500 From: Tom Rhodes To: Mike Brown Subject: Re: Patch (WIP): New security front matter; new shell redirection section Message-Id: <20140204075336.3e6291f2.trhodes@FreeBSD.org> In-Reply-To: <201402040800.s1480fXU006990@chilled.skew.org> References: <20140202175121.16a0c264.trhodes@FreeBSD.org> <201402040800.s1480fXU006990@chilled.skew.org> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; x86_64-unknown-freebsd9.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: doc@FreeBSD.org X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 12:53:45 -0000 On Tue, 4 Feb 2014 01:00:41 -0700 (MST) Mike Brown wrote: > Tom Rhodes wrote: > > + Passwords are a necessary evil of the past. In the cases > > + they must be used, not only should the password be extremely > > + complex, but also use a powerful hash mechanism to protect it. > > + At the time of this writing, &os; supports > > + DES, MD5, Blowfish, > > + SHA256, and SHA512 in > > + the crypt() library. The default is > > + SHA512 and should not be changed backwards; > > + however, some users like to use the Blowfish option. Each > > + mechanism, aside from DES, has a unique > > + beginning to designate the hash mechanism assigned. For the > > + MD5 mechanism, the symbol is a > > + $ sign. For the SHA256 or > > + SHA512, the symbol is $6$ > > + and Blowfish uses $2a$. Any weaker passwords > > + should be re-hashed by asking the user to run &man.passwd.1; > > + during their next login. > > I get confused by this. > > "Any weaker passwords" immediately follows discussion of hash > mechanisms, suggesting you actually mean to say "Any passwords > protected by weaker hash mechanisms" ... although maybe you > were done talking about hash mechanisms and were actually now > back to talking about password complexity? Please clarify. > > Either way, how do I inspect /etc/spwd.db to find out who has > weak/not-complex-enough passwords, and what hash mechanism is in use > for each user, so I know who needs to run passwd(1)? > > If this info is already in the chapter, forgive me; I am just > going by what's in the diff. > > Anyway, overall it looks great. Thanks! You actually did remind me that, with the new version I just put in, I added a bunch of sections but completely dropped the ball on checking for weak passwords! Though, the new chapter has sudo, rkhunter, and setting up an mtree(8) based IDS and more tunables. I'll try to work up an additional bit of cracking passwords and the like sometime this week. Cheers, -- Tom Rhodes