Date: Sat, 9 Jun 2012 10:46:10 -0300 From: "Nenhum_de_Nos" <matheus@eternamente.info> To: freebsd-security@freebsd.org Subject: Re: Default password hash Message-ID: <24b902f837a0deffe51f906c60070ead.squirrel@eternamente.info> In-Reply-To: <4FD350EF.6080802@sentex.net> References: <86r4tqotjo.fsf@ds4.des.no> <4FD334BE.4020900@sentex.net> <fe8cae35d2bd014f8b81d264fa024ba4.squirrel@eternamente.info> <4FD350EF.6080802@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, June 9, 2012 10:34, Mike Tancsa wrote: > On 6/9/2012 9:19 AM, someone wrote: >> hi, >> >> what is needed to change from md5 to sha512 ? As all old passwd are md5, I imagine there is a >> sequence of steps not to lock me out of the box. is there any place that documents this ? > > You need a relatively recent RELENG_8, not sure the exact date. To > change the pass format, edit the file login.conf > cd /etc > > vi /etc/login.conf > > where it shows > > default:\ > :passwd_format=md5:\ > > change it to > > default:\ > :passwd_format=sha512:\ > > Regenerate the db file > cap_mkdb login.conf > > The old passwd hash thats MD5 based will look something like > > 0(cage2)# grep testuser /etc/master.passwd > testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User > &:/home/testuser:/bin/sh > 0(cage2)# > > note the $1$ > > change the users passwd to something new, or just use the old passwd, > but re-enter it > > 1(cage2)# grep testuser /etc/master.passwd > testuser:$1$0lfvk63d$WPD8y7w6o2CAU8V4kTgqR1:1004:1004::0:0:User > &:/home/testuser:/bin/sh > 0(cage2)# passwd testuser > Changing local password for testuser > New Password: > Retype New Password: > 0(cage2)# grep testuser /etc/master.passwd > testuser:$6$AvBQXRlaKNv/YkM8$WhrcMomrs7mXgHAvFpETPT.T21jH9rYtsK8KKEFVOOYCm6noIHKI3JqQw67Vc/cYwTkGxnFY1zWrddiVUmk2p0:1004:1004::0:0:User > &:/home/testuser:/bin/sh > 0(cage2)# > > > Note the $6$ in the hash, and its now super long. > > If your FreeBSD version does not support sha512, Blowfish might be a > better alternative. Note sure, perhaps others here know how safe it is > > again, change the same file to > > default:\ > :passwd_format=blf:\ > > and do a cap_mkdb login.conf > > 0(cage2)# passwd testuser > Changing local password for testuser > New Password: > Retype New Password: > 0(cage2)# grep testuser /etc/master.passwd > testuser:$2a$04$veZKfUGwqsrxWZOb/wbes.RdgQhLL.kfqyQ8Cv044rjJdFI0nSVXy:1004:1004::0:0:User > &:/home/testuser:/bin/sh > 0(cage2)# > > Note the $2a$ > > Other place to do it is in auth.conf, but I usually do it in login.conf > as shown above. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html thanks Mike. I plan to change this on 9.0R. I have 8.1 but I think I'll have to update. thanks, matheus -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24b902f837a0deffe51f906c60070ead.squirrel>