Editorial review of 14.2.3 Password Hashes.

Add example of how to view and change the password hash.

Sponsored by:	iXsystems

en_US.ISO8859-1/books/handbook/security/chapter.xml

@@ -235,48 +235,84 @@
     </sect2>
 
     <sect2 xml:id="security-passwords">
-      <title>Passwords</title>
+      <title>Password Hashes</title>
 
-      <para>Passwords are a necessary evil of technology.  In the
-	cases they must be used, not only should the password be
-	extremely complex, but also use a powerful hash mechanism to
-	protect it.  At the time of this writing, &os; supports
-	<acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish,
-	<acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in
-	the <function>crypt()</function> library.  The default is
-	<acronym>SHA</acronym>512 and should not be changed backwards;
-	however, some users like to use the Blowfish option.  Each
-	mechanism, aside from <acronym>DES</acronym>, has a unique
-	beginning to designate the hash mechanism assigned.  For the
-	<acronym>MD</acronym>5 mechanism, the symbol is a
-	<quote>$</quote> sign.  For the <acronym>SHA</acronym>256 or
-	<acronym>SHA</acronym>512, the symbol is <quote>$6$</quote>
-	and Blowfish uses <quote>$2a$</quote>.  Any weaker passwords
-	should be re-hashed by asking the user to run &man.passwd.1;
-	during their next login.</para>
+      <para>Passwords are a necessary evil of technology.  When
+	they must be used, they should be
+	complex and a powerful hash mechanism should be used to
+	encrypt the version that is stored in the password database.  &os; supports the
+	<acronym>DES</acronym>, <acronym>MD5</acronym>,
+	<acronym>SHA256</acronym>, <acronym>SHA512</acronym>, and Blowfish hash algorithms in its
+	<function>crypt()</function> library.  The default of
+	<acronym>SHA512</acronym> should not be changed to a less
+	secure hashing algorithm, but can be changed to the more secure
+	Blowfish algorithm.</para>
 
       <note>
-	<para>At the time of this writing, Blowfish is not part of
-	  <acronym>AES</acronym> nor is it considered compliant with
-	  any <acronym>FIPS</acronym> (Federal Information
-	  Processing Standards) standard and its use may not be
+	<para>Blowfish is not part of
+	  <acronym>AES</acronym> and is not considered compliant with
+	  any Federal Information
+	  Processing Standards (<acronym>FIPS</acronym>).  Its use may not be
 	  permitted in some environments.</para>
       </note>
 
-      <para>For any system connected to the network, two factor
-	authentication should be used.  This is normally considered
-	something you have and something you know.  With
-	<application>OpenSSH</application> being part of the &os;
-	base system and the use of ssh-keys being available for some
-	time, all network logins should avoid the use of passwords in
-	exchange for this two factor authentication method.  For
-	more information see the <xref linkend="openssh"/> section of
-	the handbook.  Kerberos users may need to make additional
-	changes to implement <application>OpenSSH</application> in
-	their network.</para>
+      <para>To determine which hash algorithm is used to encrypt a
+	user's password, the superuser can view the hash for the user
+	in the &os; password database.  Each hash
+	starts with a symbol which indicates the type of hash
+	mechanism used to encrypt the password.  If
+	<acronym>DES</acronym> is used, there is no beginning symbol.
+	For
+	<acronym>MD5</acronym>, the symbol is
+	<literal>$</literal>.  For <acronym>SHA256</acronym> and
+	<acronym>SHA512</acronym>, the symbol is <literal>$6$</literal>.
+	For Blowfish, the symbol is <literal>$2a$</literal>.  In this
+	example, the password for <systemitem
+	  class="username">dru</systemitem> is hashed using the default
+	<acronym>SHA512</acronym> algorithm as the hash starts with
+	<literal>$6$</literal>.  Note that the encrypted hash, not the password
+	itself, is stored in the password database:</para>
 
-      <sect3 xml:id="security-pwpolicy">
-	<title>Password Policy and Enforcement</title>
+      <screen>&prompt.root; <userinput>grep dru /etc/master.passwd</userinput>
+dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh
+</screen>
+
+      <para>The hash mechanism is set in the user's login class.  For
+	this example, the user is in the <literal>default</literal>
+	login class and the hash algorithm is set with this line in
+	<filename>/etc/login.conf</filename>:</para>
+
+      <programlisting>        :passwd_format=sha512:\</programlisting>
+
+      <para>To change the algorithm to Blowfish, modify that line to
+	look like this:</para>
+      
+       <programlisting>        :passwd_format=blf:\</programlisting>
+     
+     <para>Then run <command>cap_mkdb /etc/login.conf</command> as
+	described in <xref linkend="users-limiting"/>.  Note that this
+	change will not affect any existing password hashes.  This
+	means that all passwords should
+	be re-hashed by asking users to run <command>passwd</command>
+	in order to change their password.</para>
+
+      <para>For remote logins, two-factor
+	authentication should be used.  An example of two-factor authentication is
+	<quote>something you have</quote>, such as a key, and
+	<quote>something you know</quote>, such as the passphrase for that key.  Since
+	<application>OpenSSH</application> is part of the &os;
+	base system, all network logins should be over an encrypted
+	connection and use key-based authentication instead of passwords.
+	For
+	more information, refer to <xref linkend="openssh"/>.
+	Kerberos users may need to make additional
+	changes to implement <application>OpenSSH</application> in
+	their network.  These changes are described in <xref
+	  linkend="kerberos5"/>.</para>
+      </sect2>
+
+      <sect2 xml:id="security-pwpolicy">
+	<title>Password Policy Enforcement</title>
 
 	<para>Enforcing a strong password policy for local accounts
 	  is a fundamental aspect of local system security and policy.
@@ -358,7 +394,6 @@ Enter new password:</programlisting>
 	<para>As seen here, an expiration date is set in the form of
 	  day, month, year.  For more information, see
 	  &man.pw.8;</para>
-      </sect3>
     </sect2>
 
     <sect2 xml:id="security-rkhunter">