From owner-freebsd-security@FreeBSD.ORG Sun Jun 10 06:55:21 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2DC6B106564A for ; Sun, 10 Jun 2012 06:55:21 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 103B88FC0C for ; Sun, 10 Jun 2012 06:55:21 +0000 (UTC) Received: from delta.delphij.net (unknown [IPv6:2001:470:83bf:0:221:5cff:fe6a:37bb]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id D70E9FDC6; Sat, 9 Jun 2012 23:55:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1339311315; bh=GpHO4E4Bc50CuuqOmhYgqOis8MBPoeRfVw8hoz/4WGs=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=N3AW2W5pZxMLQVaax+BY+x14kZk9+gSuwPyAQiYUQw7qUnfLQl6rqwABJuPnCQx0Z 4p+UKFpNVazJUX3xTifu89BUVWJ+IpHrRMbkRtug7LMYpqypaC430vJhBTy8xytTk4 tHV3oqUHH00NC3U3uNiCgwrt839C7Mque6jMOi00= Message-ID: <4FD444C5.9080701@delphij.net> Date: Sat, 09 Jun 2012 23:55:01 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net> In-Reply-To: <4FD334BE.4020900@sentex.net> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , d@delphij.net, freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2012 06:55:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/09/12 04:34, Mike Tancsa wrote: > On 6/8/2012 8:51 AM, Dag-Erling Smørgrav wrote: >> We still have MD5 as our default password hash, even though >> known-hash attacks against MD5 are relatively easy these days. >> We've supported SHA256 and SHA512 for many years now, so how >> about making SHA512 the default instead of MD5, like on most >> Linux distributions? > > Actually, any chance of MFC'ing SHA256 and 512 in RELENG_7 ? Its > currently not there. Ping me next Friday if nobody else would volunteer. > RELENG_7 is supported until 2013 > > Sort of a security issue considering this assessment of MD5 > > http://phk.freebsd.dk/sagas/md5crypt_eol.html > > > ---Mike > > > >> >> Index: etc/login.conf >> =================================================================== >> >> - --- etc/login.conf (revision 236616) >> +++ etc/login.conf (working copy) @@ -23,7 +23,7 @@ # AND >> SEMANTICS'' section of getcap(3) for more escape sequences). >> >> default:\ - :passwd_format=md5:\ + >> :passwd_format=sha512:\ :copyright=/etc/COPYRIGHT:\ >> :welcome=/etc/motd:\ >> :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ >> >> DES > > - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBCAAGBQJP1ETFAAoJEG80Jeu8UPuzRWAH/3XDen0pxNpYDqRxfAiTKJjI A0JqyNrVMMA3/ncenceODJs+7BugXRWnC5jyAzfxC5KulL1ZcBZCfYApdWgJ+Lun yHnv/JryEK2InzGwuDX/P3Tt1TZVKtr5drs7yJuZnRaW5SWRRaPRvLqgGZ1PdNxb /cHIXL+DPxHUXhwBcInhWWImNDJU3xEcvFQSpW4C8iqGqviFLE0WlhKTGVvnwiMO lXTnyyadQMrMQW8XIgcgyNZ5b3asiTAC1TOXtaTWiFR2QPgfxZSvEoaxu/AMmep3 HegMWA0qXXCvj7E0xUECRs3tXG6hbxhaRJima8FdPeCLWcNtd12PC44xj+EuufQ= =7wMd -----END PGP SIGNATURE-----