Date: Wed, 30 Apr 2014 19:31:56 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44724 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201404301931.s3UJVuNK005284@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Apr 30 19:31:56 2014 New Revision: 44724 URL: http://svnweb.freebsd.org/changeset/doc/44724 Log: Editorial review of 14.2.3 Password Hashes. Add example of how to view and change the password hash. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:05:34 2014 (r44723) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:31:56 2014 (r44724) @@ -235,48 +235,84 @@ </sect2> <sect2 xml:id="security-passwords"> - <title>Passwords</title> + <title>Password Hashes</title> - <para>Passwords are a necessary evil of technology. In the - cases they must be used, not only should the password be - extremely complex, but also use a powerful hash mechanism to - protect it. At the time of this writing, &os; supports - <acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish, - <acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in - the <function>crypt()</function> library. The default is - <acronym>SHA</acronym>512 and should not be changed backwards; - however, some users like to use the Blowfish option. Each - mechanism, aside from <acronym>DES</acronym>, has a unique - beginning to designate the hash mechanism assigned. For the - <acronym>MD</acronym>5 mechanism, the symbol is a - <quote>$</quote> sign. For the <acronym>SHA</acronym>256 or - <acronym>SHA</acronym>512, the symbol is <quote>$6$</quote> - and Blowfish uses <quote>$2a$</quote>. Any weaker passwords - should be re-hashed by asking the user to run &man.passwd.1; - during their next login.</para> + <para>Passwords are a necessary evil of technology. When + they must be used, they should be + complex and a powerful hash mechanism should be used to + encrypt the version that is stored in the password database. &os; supports the + <acronym>DES</acronym>, <acronym>MD5</acronym>, + <acronym>SHA256</acronym>, <acronym>SHA512</acronym>, and Blowfish hash algorithms in its + <function>crypt()</function> library. The default of + <acronym>SHA512</acronym> should not be changed to a less + secure hashing algorithm, but can be changed to the more secure + Blowfish algorithm.</para> <note> - <para>At the time of this writing, Blowfish is not part of - <acronym>AES</acronym> nor is it considered compliant with - any <acronym>FIPS</acronym> (Federal Information - Processing Standards) standard and its use may not be + <para>Blowfish is not part of + <acronym>AES</acronym> and is not considered compliant with + any Federal Information + Processing Standards (<acronym>FIPS</acronym>). Its use may not be permitted in some environments.</para> </note> - <para>For any system connected to the network, two factor - authentication should be used. This is normally considered - something you have and something you know. With - <application>OpenSSH</application> being part of the &os; - base system and the use of ssh-keys being available for some - time, all network logins should avoid the use of passwords in - exchange for this two factor authentication method. For - more information see the <xref linkend="openssh"/> section of - the handbook. Kerberos users may need to make additional + <para>To determine which hash algorithm is used to encrypt a + user's password, the superuser can view the hash for the user + in the &os; password database. Each hash + starts with a symbol which indicates the type of hash + mechanism used to encrypt the password. If + <acronym>DES</acronym> is used, there is no beginning symbol. + For + <acronym>MD5</acronym>, the symbol is + <literal>$</literal>. For <acronym>SHA256</acronym> and + <acronym>SHA512</acronym>, the symbol is <literal>$6$</literal>. + For Blowfish, the symbol is <literal>$2a$</literal>. In this + example, the password for <systemitem + class="username">dru</systemitem> is hashed using the default + <acronym>SHA512</acronym> algorithm as the hash starts with + <literal>$6$</literal>. Note that the encrypted hash, not the password + itself, is stored in the password database:</para> + + <screen>&prompt.root; <userinput>grep dru /etc/master.passwd</userinput> +dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh +</screen> + + <para>The hash mechanism is set in the user's login class. For + this example, the user is in the <literal>default</literal> + login class and the hash algorithm is set with this line in + <filename>/etc/login.conf</filename>:</para> + + <programlisting> :passwd_format=sha512:\</programlisting> + + <para>To change the algorithm to Blowfish, modify that line to + look like this:</para> + + <programlisting> :passwd_format=blf:\</programlisting> + + <para>Then run <command>cap_mkdb /etc/login.conf</command> as + described in <xref linkend="users-limiting"/>. Note that this + change will not affect any existing password hashes. This + means that all passwords should + be re-hashed by asking users to run <command>passwd</command> + in order to change their password.</para> + + <para>For remote logins, two-factor + authentication should be used. An example of two-factor authentication is + <quote>something you have</quote>, such as a key, and + <quote>something you know</quote>, such as the passphrase for that key. Since + <application>OpenSSH</application> is part of the &os; + base system, all network logins should be over an encrypted + connection and use key-based authentication instead of passwords. + For + more information, refer to <xref linkend="openssh"/>. + Kerberos users may need to make additional changes to implement <application>OpenSSH</application> in - their network.</para> + their network. These changes are described in <xref + linkend="kerberos5"/>.</para> + </sect2> - <sect3 xml:id="security-pwpolicy"> - <title>Password Policy and Enforcement</title> + <sect2 xml:id="security-pwpolicy"> + <title>Password Policy Enforcement</title> <para>Enforcing a strong password policy for local accounts is a fundamental aspect of local system security and policy. @@ -358,7 +394,6 @@ Enter new password:</programlisting> <para>As seen here, an expiration date is set in the form of day, month, year. For more information, see &man.pw.8;</para> - </sect3> </sect2> <sect2 xml:id="security-rkhunter">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404301931.s3UJVuNK005284>