From owner-freebsd-doc@FreeBSD.ORG Thu Feb 6 12:56:15 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87D8125F for ; Thu, 6 Feb 2014 12:56:15 +0000 (UTC) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 605BD118F for ; Thu, 6 Feb 2014 12:56:15 +0000 (UTC) Received: from homiemail-a113.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by hapkido.dreamhost.com (Postfix) with ESMTP id 9B3D8DCB58 for ; Thu, 6 Feb 2014 04:56:07 -0800 (PST) Received: from homiemail-a113.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTP id 454712005D10B; Thu, 6 Feb 2014 04:56:02 -0800 (PST) Received: from dreadnaught (ip68-100-185-59.dc.dc.cox.net [68.100.185.59]) (Authenticated sender: trhodes@fbsdsecure.org) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTPA id E611B2005D10A; Thu, 6 Feb 2014 04:56:01 -0800 (PST) Date: Thu, 6 Feb 2014 07:56:01 -0500 From: Tom Rhodes To: Allan Jude Subject: Re: Patch (WIP): New security front matter; new shell redirection section Message-Id: <20140206075601.19adb2ab.trhodes@FreeBSD.org> In-Reply-To: <52F2E265.3050602@allanjude.com> References: <20140202175121.16a0c264.trhodes@FreeBSD.org> <201402040800.s1480fXU006990@chilled.skew.org> <20140204075336.3e6291f2.trhodes@FreeBSD.org> <52F2E265.3050602@allanjude.com> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; x86_64-unknown-freebsd9.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-doc@freebsd.org X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 12:56:15 -0000 On Wed, 05 Feb 2014 20:16:21 -0500 Allan Jude wrote: > On 2014-02-04 07:53, Tom Rhodes wrote: > > On Tue, 4 Feb 2014 01:00:41 -0700 (MST) > > Mike Brown wrote: > > > >> Tom Rhodes wrote: > >>> + Passwords are a necessary evil of the past. In the cases > >>> + they must be used, not only should the password be extremely > >>> + complex, but also use a powerful hash mechanism to protect it. > >>> + At the time of this writing, &os; supports > >>> + DES, MD5, Blowfish, > >>> + SHA256, and SHA512 in > >>> + the crypt() library. The default is > >>> + SHA512 and should not be changed backwards; > >>> + however, some users like to use the Blowfish option. Each > >>> + mechanism, aside from DES, has a unique > >>> + beginning to designate the hash mechanism assigned. For the > >>> + MD5 mechanism, the symbol is a > >>> + $ sign. For the SHA256 or > >>> + SHA512, the symbol is $6$ > >>> + and Blowfish uses $2a$. Any weaker passwords > >>> + should be re-hashed by asking the user to run &man.passwd.1; > >>> + during their next login. > >> > >> I get confused by this. > >> > >> "Any weaker passwords" immediately follows discussion of hash > >> mechanisms, suggesting you actually mean to say "Any passwords > >> protected by weaker hash mechanisms" ... although maybe you > >> were done talking about hash mechanisms and were actually now > >> back to talking about password complexity? Please clarify. > >> > >> Either way, how do I inspect /etc/spwd.db to find out who has > >> weak/not-complex-enough passwords, and what hash mechanism is in use > >> for each user, so I know who needs to run passwd(1)? > >> > >> If this info is already in the chapter, forgive me; I am just > >> going by what's in the diff. > >> > >> Anyway, overall it looks great. > > > > Thanks! > > > > You actually did remind me that, with the new version I > > just put in, I added a bunch of sections but completely > > dropped the ball on checking for weak passwords! > > > > Though, the new chapter has sudo, rkhunter, and setting > > up an mtree(8) based IDS and more tunables. I'll try > > to work up an additional bit of cracking passwords and > > the like sometime this week. Cheers, > > > > It may be worth noting that bcrypt (the blowfish based hashing > algorithm) is not the same thing as blowfish the symmetric encryption > system. It might just be best to call it bcrypt instead of blowfish. Now that is very important, I don't want people to get the wrong idea and definitely know the difference. Maybe I should reword and rework parts of this particular section to clear up any possible confusion. > > You might also mention the 'freebsd-update IDS' feature, which compares > the SHA256 hashes of the base files against the know good values for a > system upgraded with freebsd-update. Good point - I actually had that in my mind on the train, but when I began working on the IDS section, only mtree and aide came to mind. I'll have to mention that now. -- Tom Rhodes