Better Password Hashes

A.J. Kehoe IV (Nanoman) nanoman at nanoman.ca
Sun Jul 7 17:42:11 UTC 2013 

My friend and fellow FreeBSD enthusiast Derek Marcotte recently pointed out that FreeBSD has no easy way to set the logarithmic rounds for bcrypt password hashes.  Doing so is trivial in OpenBSD, and considering the capabilities of current GPU attacks, I want this functionality.

This issue was raised over eight years ago in kern/75934 by Steven Alexander Jr., who included a patch to add this feature.  Unfortunately, this seems to have been completely overlooked, and there were no public responses to this PR.

I commissioned Derek to come up with a solution by either updating Steven's patch or by devising a new method.  To paraphrase Derek's comments:

-----BEGIN PARAPHRASIS-----
I did some research into what other *BSDs are doing.  OpenBSD and NetBSD use the algorithm name, a comma, and then the number of rounds:

http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf&sektion=5

localcipher=blowfish,6

http://netbsd.gw.com/cgi-bin/man-cgi?passwd.conf+5+NetBSD-current

localcipher=blowfish,6

To me, this isn't a good way to do it because we'd need special rules to parse this extra field out of the previously unstructured data.  This parsing would be algorithm dependant.

Everyone knows about modular crypt, so why not feed the modular crypt salt string as the parameter directly?  Instead of messing with different names, give the power to the system admin to control this directly, so when crypt is updated, pam_unix can take advantage.  Each implementation of crypt algorithms already includes parsing of the salt magic.

I found that patching pam_unix was the least invasive way to handle configurable hashes for login.  I've added a passwd_modular parameter that will supersede passwd_format when defined.  passwd_modular will feed directly into crypt, so any options that are passed to crypt via the salt are immediately available for use in the master.passwd file.  For example:

:passwd_modular=$2a$11$:\

Now you can also set the rounds for sha512:

:passwd_modular=$6$rounds=1000000$:\

To disable passwd_modular and revert to passwd_format:

:passwd_modular=disabled:\

This also lets admins shoot themselves in the foot by supplying invalid or bad salts.  For example:

:passwd_modular=$1$constantsalt:\

I had considered setting a second variable like ":passwd_param=8:\", but then you really have to mess with crypt to make it work.  I think it would be a much more invasive change, and unnecessary, providing the documentation for login.conf is brought up to date.

FreeBSD 8.* doesn't have access to the SHA family of hashes.  If this is merged back into 8, it will give much stronger password security when using $2a$08$ (or higher) than is currently available.

bcrypt is preferable to sha512 because of its resilience to current GPU attacks.  This is expected to change.  Hopefully, my patch will lay some groundwork to incorporate scrypt.
-----END PARAPHRASIS-----

I've attached a copy of Derek's patches for the FreeBSD 9-STABLE versions of pam_unix and the login.conf man page.  These may have to be adjusted for HEAD.

I really like Derek's solution.  It's working perfectly for bcrypt on my own network, and I'm planning to distribute it to the hundreds of FreeBSD servers that I am responsible for maintaining.  In my opinion, committing Derek's patches will allow kern/75934 to be closed.

-- 
A.J. Kehoe IV (Nanoman)     |  /"\  ASCII Ribbon Campaign
Nanoman's Company           |  \ /   - No HTML/RTF in E-mail
E-mail: nanoman at nanoman.ca  |   X    - No proprietary attachments
WWW: http://www.nanoman.ca/ |  / \   - Respect for open standards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_unix.c.patch
Type: text/x-diff
Size: 2537 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login.conf.5.patch
Type: text/x-diff
Size: 1012 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3924 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment.bin>

More information about the freebsd-security mailing list