Comments on: Security problem and a fix

By: ?????????? ? MySQL, Gitorious, PowerDNS, Suhosin PHP, OpenSSL, Moodle, VirtualBox, Solaris, Wireshark, Glibc, DragonFly BSD, Asterisk | AllUNIX.ru — ????????????? ?????? ? UNIX-????????

Sun, 22 Jan 2012 23:19:22 +0000

[…] ???????????? ??????? DragonFly BSD ???????? ???????? ? ???????????? ???????, ??????? ?????? […]

By: Lazarus

Lazarus — Sat, 21 Jan 2012 03:28:04 +0000

From
http://onlamp.com/pub/a/bsd/2002/08/08/FreeBSD_Basics.html?page=2
(Works in DragonFly IIRC)

To implement Blowfish hashes, edit /etc/login.conf and change the passwd_format line so that it looks like this:

:passwd_format=blf:\
Save your change, then rebuild the login database with this command:

cap_mkdb /etc/login.conf
You’ll then have to change all of your user’s passwords so they will get a new Blowfish hash. You can do this by typing:

passwd username
as the superuser. Whatever username you use, that will be the user whose password will be updated. Repeat for all of your users, including the root account.

Once you’re finished, double-check that it worked and you didn’t forget any users:

more /etc/master.passwd
All of the passwords for your users should begin with $2.

Finally, configure the adduser utility to use Blowfish whenever you create a new user by editing /etc/auth.conf. Change the crypt_default line so that it looks like this:

crypt_default=blf

By: Anonymous

Anonymous — Sat, 21 Jan 2012 02:31:11 +0000

I wonder whether there is a reason for using SHA and MD5 for password hashing in DFlyBSD? Wouldn’t it be better to use some hashing scheme that was designed with that specific application in mind like bcrypt or PBKDF2? While I’m not an expert in these matters, I link to an article whose argumentation I found quite plausible: http://codahale.com/how-to-safely-store-a-password/