From owner-freebsd-questions@FreeBSD.ORG Sat Jan 3 22:13:04 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F792106566B for ; Sat, 3 Jan 2009 22:13:04 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 120E48FC08 for ; Sat, 3 Jan 2009 22:13:04 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1LJERj-0000NH-8O>; Sat, 03 Jan 2009 22:54:15 +0100 Received: from e178059216.adsl.alicedsl.de ([85.178.59.216] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1LJERj-0005W5-1n>; Sat, 03 Jan 2009 22:54:15 +0100 Message-ID: <495FDEA4.6010301@mail.zedat.fu-berlin.de> Date: Sat, 03 Jan 2009 22:54:44 +0100 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.19 (X11/20090103) MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: multipart/mixed; boundary="------------020604060008010902050109" X-Originating-IP: 85.178.59.216 Subject: MD5 vs. SHA1: hashed passwords in /etc/master.passwd - can we configure SHA1 as default in /etc/login.conf? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jan 2009 22:13:07 -0000 This is a multi-part message in MIME format. --------------020604060008010902050109 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MD5 seems to be compromised by potential collision attacks. So I tried to figure out how I can use another hash for security purposes when hashing passwords for local users on a FreeBSD 7/8 box, like root or local box administration. Looking at man login.conf reveals only three possible hash algorithms selectable: md5 (recommended), des and blf. Changing /etc/login.conf's tag default:\ :passwd_format=sha1:\ followed by a obligatory "cap_mkdb" seems to do something - changing root's password results in different hashes when selecting different hash algorithms like des, md5, sha1, blf or even sha256. Well, I never digged deep enough into the source code to reveal the magic and truth, so I will ask here for some help. Is it possible to change the md5-algorithm by default towards sha1 as recommended after the md5-collisions has been published? Thanks in advance, Oliver --------------020604060008010902050109 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Message-ID: <495FDC97.4090301@mail.zedat.fu-berlin.de> Date: Sat, 03 Jan 2009 22:45:59 +0100 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.19 (X11/20090103) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: MD5 vs. SHA1 hashed passwords in /etc/master.passwd: can we configure SHA1 in /etc/login.conf? X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MD5 seems to be compromised by potential collision attacks. So I tried to figure out how I can use another hash for security purposes when hashing passwords for local users on a FreeBSD 7/8 box, like root or local box administration. Looking at man login.conf reveals only three possible hash algorithms selectable: md5 (recommended), des and blf. Changing /etc/login.conf's tag default:\ :passwd_format=sha1:\ followed by a obligatory "cap_mkdb" seems to do something - changing root's password results in different hashes when selecting different hash algorithms like des, md5, sha1, blf or even sha256. Well, I never digged deep enough into the source code to reveal the magic and truth, so I will ask here for some help. Is it possible to change the md5-algorithm by default towards sha1 as recommended after the md5-collisions has been published? Thanks in advance, Oliver --------------020604060008010902050109--