From owner-svn-doc-all@FreeBSD.ORG Wed Apr 30 19:31:56 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E37F79D2; Wed, 30 Apr 2014 19:31:56 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D00571C90; Wed, 30 Apr 2014 19:31:56 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3UJVuk8005285; Wed, 30 Apr 2014 19:31:56 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3UJVuNK005284; Wed, 30 Apr 2014 19:31:56 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404301931.s3UJVuNK005284@svn.freebsd.org> From: Dru Lavigne Date: Wed, 30 Apr 2014 19:31:56 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44724 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 19:31:57 -0000 Author: dru Date: Wed Apr 30 19:31:56 2014 New Revision: 44724 URL: http://svnweb.freebsd.org/changeset/doc/44724 Log: Editorial review of 14.2.3 Password Hashes. Add example of how to view and change the password hash. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:05:34 2014 (r44723) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:31:56 2014 (r44724) @@ -235,48 +235,84 @@ - Passwords + Password Hashes - Passwords are a necessary evil of technology. In the - cases they must be used, not only should the password be - extremely complex, but also use a powerful hash mechanism to - protect it. At the time of this writing, &os; supports - DES, MD5, Blowfish, - SHA256, and SHA512 in - the crypt() library. The default is - SHA512 and should not be changed backwards; - however, some users like to use the Blowfish option. Each - mechanism, aside from DES, has a unique - beginning to designate the hash mechanism assigned. For the - MD5 mechanism, the symbol is a - $ sign. For the SHA256 or - SHA512, the symbol is $6$ - and Blowfish uses $2a$. Any weaker passwords - should be re-hashed by asking the user to run &man.passwd.1; - during their next login. + Passwords are a necessary evil of technology. When + they must be used, they should be + complex and a powerful hash mechanism should be used to + encrypt the version that is stored in the password database. &os; supports the + DES, MD5, + SHA256, SHA512, and Blowfish hash algorithms in its + crypt() library. The default of + SHA512 should not be changed to a less + secure hashing algorithm, but can be changed to the more secure + Blowfish algorithm. - At the time of this writing, Blowfish is not part of - AES nor is it considered compliant with - any FIPS (Federal Information - Processing Standards) standard and its use may not be + Blowfish is not part of + AES and is not considered compliant with + any Federal Information + Processing Standards (FIPS). Its use may not be permitted in some environments. - For any system connected to the network, two factor - authentication should be used. This is normally considered - something you have and something you know. With - OpenSSH being part of the &os; - base system and the use of ssh-keys being available for some - time, all network logins should avoid the use of passwords in - exchange for this two factor authentication method. For - more information see the section of - the handbook. Kerberos users may need to make additional + To determine which hash algorithm is used to encrypt a + user's password, the superuser can view the hash for the user + in the &os; password database. Each hash + starts with a symbol which indicates the type of hash + mechanism used to encrypt the password. If + DES is used, there is no beginning symbol. + For + MD5, the symbol is + $. For SHA256 and + SHA512, the symbol is $6$. + For Blowfish, the symbol is $2a$. In this + example, the password for dru is hashed using the default + SHA512 algorithm as the hash starts with + $6$. Note that the encrypted hash, not the password + itself, is stored in the password database: + + &prompt.root; grep dru /etc/master.passwd +dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh + + + The hash mechanism is set in the user's login class. For + this example, the user is in the default + login class and the hash algorithm is set with this line in + /etc/login.conf: + + :passwd_format=sha512:\ + + To change the algorithm to Blowfish, modify that line to + look like this: + + :passwd_format=blf:\ + + Then run cap_mkdb /etc/login.conf as + described in . Note that this + change will not affect any existing password hashes. This + means that all passwords should + be re-hashed by asking users to run passwd + in order to change their password. + + For remote logins, two-factor + authentication should be used. An example of two-factor authentication is + something you have, such as a key, and + something you know, such as the passphrase for that key. Since + OpenSSH is part of the &os; + base system, all network logins should be over an encrypted + connection and use key-based authentication instead of passwords. + For + more information, refer to . + Kerberos users may need to make additional changes to implement OpenSSH in - their network. + their network. These changes are described in . + - - Password Policy and Enforcement + + Password Policy Enforcement Enforcing a strong password policy for local accounts is a fundamental aspect of local system security and policy. @@ -358,7 +394,6 @@ Enter new password: As seen here, an expiration date is set in the form of day, month, year. For more information, see &man.pw.8; -