Date: Sat, 09 Jun 2012 09:34:39 -0400 From: Mike Tancsa <mike@sentex.net> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Default password hash Message-ID: <4FD350EF.6080802@sentex.net> In-Reply-To: <fe8cae35d2bd014f8b81d264fa024ba4.squirrel@eternamente.info> References: <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net> <fe8cae35d2bd014f8b81d264fa024ba4.squirrel@eternamente.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/9/2012 9:19 AM, someone wrote:
> hi,
>
> what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a
> sequence of steps not to lock me out of the box. is there any place that documents this ?
You need a relatively recent RELENG_8, not sure the exact date. To
change the pass format, edit the file login.conf
cd /etc
vi /etc/login.conf
where it shows
default:\
:passwd_format=md5:\
change it to
default:\
:passwd_format=sha512:\
Regenerate the db file
cap_mkdb login.conf
The old passwd hash thats MD5 based will look something like
0(cage2)# grep testuser /etc/master.passwd
testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User
&:/home/testuser:/bin/sh
0(cage2)#
note the $1$
change the users passwd to something new, or just use the old passwd,
but re-enter it
1(cage2)# grep testuser /etc/master.passwd
testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User
&:/home/testuser:/bin/sh
0(cage2)# passwd testuser
Changing local password for testuser
New Password:
Retype New Password:
0(cage2)# grep testuser /etc/master.passwd
testuser:$6$AvBQXRlaKNv/YkM8$WhrcMomrs7mXgHAvFpETPT.T21jH9rYtsK8KKEFVOOYCm6noIHKI3JqQw67Vc/cYwTkGxnFY1zWrddiVUmk2p0:1004:1004::0:0:User
&:/home/testuser:/bin/sh
0(cage2)#
Note the $6$ in the hash, and its now super long.
If your FreeBSD version does not support sha512, Blowfish might be a
better alternative. Note sure, perhaps others here know how safe it is
again, change the same file to
default:\
:passwd_format=blf:\
and do a cap_mkdb login.conf
0(cage2)# passwd testuser
Changing local password for testuser
New Password:
Retype New Password:
0(cage2)# grep testuser /etc/master.passwd
testuser:$2a$04$veZKfUGwqsrxWZOb/wbes.RdgQhLL.kfqyQ8Cv044rjJdFI0nSVXy:1004:1004::0:0:User
&:/home/testuser:/bin/sh
0(cage2)#
Note the $2a$
Other place to do it is in auth.conf, but I usually do it in login.conf
as shown above.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD350EF.6080802>