From f58f3480727a66a8a44a5d74f88829e34ecee9c8 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Wed, 30 Apr 2014 19:31:56 +0000 Subject: [PATCH] Editorial review of 14.2.3 Password Hashes. Add example of how to view and change the password hash. Sponsored by: iXsystems --- .../books/handbook/security/chapter.xml | 107 ++++++++++++------ 1 file changed, 71 insertions(+), 36 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml index edd04c2365..18240452b8 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -235,48 +235,84 @@ - Passwords + Password Hashes - Passwords are a necessary evil of technology. In the - cases they must be used, not only should the password be - extremely complex, but also use a powerful hash mechanism to - protect it. At the time of this writing, &os; supports - DES, MD5, Blowfish, - SHA256, and SHA512 in - the crypt() library. The default is - SHA512 and should not be changed backwards; - however, some users like to use the Blowfish option. Each - mechanism, aside from DES, has a unique - beginning to designate the hash mechanism assigned. For the - MD5 mechanism, the symbol is a - $ sign. For the SHA256 or - SHA512, the symbol is $6$ - and Blowfish uses $2a$. Any weaker passwords - should be re-hashed by asking the user to run &man.passwd.1; - during their next login. + Passwords are a necessary evil of technology. When + they must be used, they should be + complex and a powerful hash mechanism should be used to + encrypt the version that is stored in the password database. &os; supports the + DES, MD5, + SHA256, SHA512, and Blowfish hash algorithms in its + crypt() library. The default of + SHA512 should not be changed to a less + secure hashing algorithm, but can be changed to the more secure + Blowfish algorithm. - At the time of this writing, Blowfish is not part of - AES nor is it considered compliant with - any FIPS (Federal Information - Processing Standards) standard and its use may not be + Blowfish is not part of + AES and is not considered compliant with + any Federal Information + Processing Standards (FIPS). Its use may not be permitted in some environments. - For any system connected to the network, two factor - authentication should be used. This is normally considered - something you have and something you know. With - OpenSSH being part of the &os; - base system and the use of ssh-keys being available for some - time, all network logins should avoid the use of passwords in - exchange for this two factor authentication method. For - more information see the section of - the handbook. Kerberos users may need to make additional - changes to implement OpenSSH in - their network. + To determine which hash algorithm is used to encrypt a + user's password, the superuser can view the hash for the user + in the &os; password database. Each hash + starts with a symbol which indicates the type of hash + mechanism used to encrypt the password. If + DES is used, there is no beginning symbol. + For + MD5, the symbol is + $. For SHA256 and + SHA512, the symbol is $6$. + For Blowfish, the symbol is $2a$. In this + example, the password for dru is hashed using the default + SHA512 algorithm as the hash starts with + $6$. Note that the encrypted hash, not the password + itself, is stored in the password database: - - Password Policy and Enforcement + &prompt.root; grep dru /etc/master.passwd +dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh + + + The hash mechanism is set in the user's login class. For + this example, the user is in the default + login class and the hash algorithm is set with this line in + /etc/login.conf: + + :passwd_format=sha512:\ + + To change the algorithm to Blowfish, modify that line to + look like this: + + :passwd_format=blf:\ + + Then run cap_mkdb /etc/login.conf as + described in . Note that this + change will not affect any existing password hashes. This + means that all passwords should + be re-hashed by asking users to run passwd + in order to change their password. + + For remote logins, two-factor + authentication should be used. An example of two-factor authentication is + something you have, such as a key, and + something you know, such as the passphrase for that key. Since + OpenSSH is part of the &os; + base system, all network logins should be over an encrypted + connection and use key-based authentication instead of passwords. + For + more information, refer to . + Kerberos users may need to make additional + changes to implement OpenSSH in + their network. These changes are described in . + + + + Password Policy Enforcement Enforcing a strong password policy for local accounts is a fundamental aspect of local system security and policy. @@ -358,7 +394,6 @@ Enter new password: As seen here, an expiration date is set in the form of day, month, year. For more information, see &man.pw.8; -