From owner-freebsd-security@FreeBSD.ORG Sat Jun 9 13:34:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1A1B6106567A for ; Sat, 9 Jun 2012 13:34:40 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id CFF758FC14 for ; Sat, 9 Jun 2012 13:34:39 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id q59DYcfL045892; Sat, 9 Jun 2012 09:34:38 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4FD350EF.6080802@sentex.net> Date: Sat, 09 Jun 2012 09:34:39 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" References: <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net> In-Reply-To: X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 13:34:40 -0000 On 6/9/2012 9:19 AM, someone wrote: > hi, > > what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a > sequence of steps not to lock me out of the box. is there any place that documents this ? You need a relatively recent RELENG_8, not sure the exact date. To change the pass format, edit the file login.conf cd /etc vi /etc/login.conf where it shows default:\ :passwd_format=md5:\ change it to default:\ :passwd_format=sha512:\ Regenerate the db file cap_mkdb login.conf The old passwd hash thats MD5 based will look something like 0(cage2)# grep testuser /etc/master.passwd testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# note the $1$ change the users passwd to something new, or just use the old passwd, but re-enter it 1(cage2)# grep testuser /etc/master.passwd testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# passwd testuser Changing local password for testuser New Password: Retype New Password: 0(cage2)# grep testuser /etc/master.passwd testuser:$6$AvBQXRlaKNv/YkM8$WhrcMomrs7mXgHAvFpETPT.T21jH9rYtsK8KKEFVOOYCm6noIHKI3JqQw67Vc/cYwTkGxnFY1zWrddiVUmk2p0:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# Note the $6$ in the hash, and its now super long. If your FreeBSD version does not support sha512, Blowfish might be a better alternative. Note sure, perhaps others here know how safe it is again, change the same file to default:\ :passwd_format=blf:\ and do a cap_mkdb login.conf 0(cage2)# passwd testuser Changing local password for testuser New Password: Retype New Password: 0(cage2)# grep testuser /etc/master.passwd testuser:$2a$04$veZKfUGwqsrxWZOb/wbes.RdgQhLL.kfqyQ8Cv044rjJdFI0nSVXy:1004:1004::0:0:User &:/home/testuser:/bin/sh 0(cage2)# Note the $2a$ Other place to do it is in auth.conf, but I usually do it in login.conf as shown above. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/