Date: Sat, 03 Jan 2009 22:54:44 +0100 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: freebsd-questions@freebsd.org Subject: MD5 vs. SHA1: hashed passwords in /etc/master.passwd - can we configure SHA1 as default in /etc/login.conf? Message-ID: <495FDEA4.6010301@mail.zedat.fu-berlin.de>
index | next in thread | raw e-mail
[-- Attachment #1 --]
MD5 seems to be compromised by potential collision attacks. So I tried
to figure out how I can use another hash for security purposes when
hashing passwords for local users on a FreeBSD 7/8 box, like root or
local box administration. Looking at man login.conf reveals only three
possible hash algorithms selectable: md5 (recommended), des and blf.
Changing /etc/login.conf's tag
default:\
:passwd_format=sha1:\
followed by a obligatory "cap_mkdb" seems to do something - changing
root's password results in different hashes when selecting different
hash algorithms like des, md5, sha1, blf or even sha256.
Well, I never digged deep enough into the source code to reveal the
magic and truth, so I will ask here for some help. Is it possible to
change the md5-algorithm by default towards sha1 as recommended after
the md5-collisions has been published?
Thanks in advance,
Oliver
[-- Attachment #2 --]
Message-ID: <495FDC97.4090301@mail.zedat.fu-berlin.de>
Date: Sat, 03 Jan 2009 22:45:59 +0100
From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de>
User-Agent: Thunderbird 2.0.0.19 (X11/20090103)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: MD5 vs. SHA1 hashed passwords in /etc/master.passwd: can we configure
SHA1 in /etc/login.conf?
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
MD5 seems to be compromised by potential collision attacks. So I tried
to figure out how I can use another hash for security purposes when
hashing passwords for local users on a FreeBSD 7/8 box, like root or
local box administration. Looking at man login.conf reveals only three
possible hash algorithms selectable: md5 (recommended), des and blf.
Changing /etc/login.conf's tag
default:\
:passwd_format=sha1:\
followed by a obligatory "cap_mkdb" seems to do something - changing
root's password results in different hashes when selecting different
hash algorithms like des, md5, sha1, blf or even sha256.
Well, I never digged deep enough into the source code to reveal the
magic and truth, so I will ask here for some help. Is it possible to
change the md5-algorithm by default towards sha1 as recommended after
the md5-collisions has been published?
Thanks in advance,
Oliver
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?495FDEA4.6010301>