Patch (WIP): New security front matter; new shell redirection section

Tom Rhodes trhodes at FreeBSD.org
Tue Feb 4 12:53:45 UTC 2014 

On Tue, 4 Feb 2014 01:00:41 -0700 (MST)
Mike Brown <mike at skew.org> wrote:

> Tom Rhodes wrote:
> > +      <para>Passwords are a necessary evil of the past.  In the cases
> > +	they must be used, not only should the password be extremely
> > +	complex, but also use a powerful hash mechanism to protect it.
> > +	At the time of this writing, &os; supports
> > +	<acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish,
> > +	<acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in
> > +	the <function>crypt()</function> library.  The default is
> > +	<acronym>SHA</acronym>512 and should not be changed backwards;
> > +	however, some users like to use the Blowfish option.  Each
> > +	mechanism, aside from <acronym>DES</acronym>, has a unique
> > +	beginning to designate the hash mechanism assigned.  For the
> > +	<acronym>MD</acronym>5 mechanism, the symbol is a
> > +	<quote>$</quote> sign.  For the <acronym>SHA</acronym>256 or
> > +	<acronym>SHA</acronym>512, the symbol is <quote>$6$</quote>
> > +	and Blowfish uses <quote>$2a$</quote>.  Any weaker passwords
> > +	should be re-hashed by asking the user to run &man.passwd.1;
> > +	during their next login.</para>
> 
> I get confused by this.
> 
> "Any weaker passwords" immediately follows discussion of hash
> mechanisms, suggesting you actually mean to say "Any passwords
> protected by weaker hash mechanisms" ... although maybe you
> were done talking about hash mechanisms and were actually now
> back to talking about password complexity? Please clarify.
> 
> Either way, how do I inspect /etc/spwd.db to find out who has 
> weak/not-complex-enough passwords, and what hash mechanism is in use
> for each user, so I know who needs to run passwd(1)?
> 
> If this info is already in the chapter, forgive me; I am just
> going by what's in the diff.
> 
> Anyway, overall it looks great.

Thanks!

You actually did remind me that, with the new version I
just put in, I added a bunch of sections but completely
dropped the ball on checking for weak passwords!

Though, the new chapter has sudo, rkhunter, and setting
up an mtree(8) based IDS and more tunables.  I'll try
to work up an additional bit of cracking passwords and
the like sometime this week.  Cheers,

-- 
Tom Rhodes

More information about the freebsd-doc mailing list