Re: changing md5 hashed for sha
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 oops ... forwarding to the list also - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 24 Jun 2012 19:06:07 -0400 Mike Tancsa wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 6/23/2012 9:37 AM, Christopher J. Ruwe wrote: > > For setting the dafault hash used to hash /etc/master.passwd, it > > has been recommended changing md5 for something more secure in the > > sense of being more expensive to crack. > > > > The handbook describes the procedure used in > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. > > > > > > > Allegedly, hashes which were hashed with one of the sha-functions > begin > > with the character $6$. > > > > Afer having changed my /etc/login.conf accordingly and having > > reset the passwords, the given there is not md5 anymore (I have > > tried with md5), but does not begin with the character $6$, but, as > > md5, with $1$, which is supposed to be md5-hashed. > > > > I fear I am a bit dense here, what am I getting wrong? > > Are you sure you ran > cap_mkdb /etc/login.conf > after adjusting the values in login.conf ? > > Also, this will only work on relatively recent versions of FreeBSD. > > ---Mike > > > - -- > - --- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, m...@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJP551fAAoJEJXHwM2kc8rXS34H/j+uxWq8Pa9j0iXpehObx2iY > LeeCZx7YbSv9AwGVHy/gTRtYP1uStBNn79oKV0ANSyjOT3F7l1MuygfJAqfXIKDm > WdN4KX2D3tpAjVMdce1zX2rSy4OtXLYXpBXTiGmP2d/erAEtE9B8gJ8GQWDh0gWz > 14CkQyefcF2YvmepSj3+9P69EzjlEm6vDMPyY/nrMlJcT8+ujtZX325+kQzQiiFX > FFasbqekazHCUnKGZZY9arY01AxPKg5e2PXFZPQf3qQy3jHqOupnM3ei3D39O9aV > gqJ/k2XDPjZYqAIy0gyPi99q4fCueYQFQrm2tyeTkV6+OxM8kdD5czx/FvySiG8= > =FVSP > -END PGP SIGNATURE- Ahhh I am sure I did not run cap_mkdb. Didn't say so in the relevant section of the handbook and I was to lazy to thooughly read the manpage. Thanks, I have the correct hashes now. Cheers, - - -- Christopher TZ: GMT + 2h - -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iQIcBAEBAgAGBQJP6KvdAAoJEJTIKW/o3iwUATEQAO0tDflkfluM4wTiUvhFvN31 PLEZKGcOjDfVnXaIqRuu5D1pPWc532xeST2H3mLJVFktjatrx/LbEy7O5w3diB1J zMM/SdiiSaIGyhSdWwTEgsGpd1jhG31RWGWtVLFzNMvfBpk/peiAbOwBcYqnKw85 zJOfDFLFcAkdP9jmiXF16iKCYcANK9R+2l0mCJ4qEdV6iIn8KAtrNxzS4i0ICzZB jBPO+bVbNkU3S7U/EXm449EvOFk+tVLxZcny3hyYWyY9ccH9Z7kyXrPRrb7cspHp iAKmWsJnntAlp7ogFYdjdOvbCeKfgtCGBnj8K9v7XYEs/KjUmschXYeIf4STsDL2 d7dLOMYz2fqYrH9toM0AvEPJuJR6cXm8XmLco7eBd2tjhdocSQ4t5nQXO/EhEGUs ESJ+ibcGtpmbad8vY0z88AIUeyrq1pQ9Ve+ceu0uQ63UTnZb3Zfu8f3PsdtCzV/2 jDYmmB1f9gjPp/NEZXPlQT7r1fTlw2IDEmU/JJEghBUIiTVuWtOvkCqG9ErYIdJK CWXV7slHlQ0d0ssCjL6wukTKpL0lS03YsvSYgoDee1h9fhLqaYpzhr+rduzxS79z q8vyaz/SRUlebTcHRZMSW9+FA/eJ3NHEv6y+d0w08OrhqmOvOxpo1dKEBdWo/JTN qP89RAUQLMfsp5NgU61o =QvC/ - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iQIcBAEBAgAGBQJP6LOeAAoJEJTIKW/o3iwUXE4QANZl/NvWTqumJJdh2p3aDUKd F1jCYfXl7d1GI/2dxsMVfcSWqGnx6WL8wzQUKipHAfCDtILhEv+2XRQ2zLM+Snbn qJz3D3Qb1ctSQdXlW5Q5bpxWxiG8+oTmXkEVxfZAkWB/RVxnMGT9r7OA6zmy0gV8 XY4zBYuqnYv4jhXj3FYeW0s5zUEqx8Hj71ymEd5p0Ssaai4di6BqWHcEEOi0hbN5 jJvs9TUC0O9Wz2jcxkquECXX+H6aneLThdITOHJ+U4LO53UXq4Ol6sbLWF0WEGNC vHQGS235NvFo04rvqOeZtZUQt/OffOxovfO7IBwcT+KLIu8WTbOqRI2hosD0r2sl 2XogCK9VU+yjZVj3m4Te86dcHjt2Swqi/z1pgLui0XJBxJ4G2ZIqNR4e2LKWScXl WvdIGoZtpsFgHlG/CcwDYLqg4tIHtRcyDhf5/XE2/Gar0q+o10k4NeRRQY891rVp SkqSB1Bum1k0UOsCJ/WSbItY3MVHDcQ0YHav7J9I2XUk9DDW6W8AlIW6kpbo5tDR vZOMBMwnDR1D8NKhJDW3Ac+gkbm6iXGUroeLQv0EfP6j9lnFDPd6tUvNg+mZzTXZ pIhIQs93+Ksuhow3//h4AuuerE1xqGY6zzKxujrvEJ+4jUvu/8a/FA20nMqITYsh rR8kLAbebAy4Lat+72n4 =P3wE -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: changing md5 hashed for sha
On Sun, 24 Jun 2012 18:28:38 -0400 Lowell Gilbert wrote: > "Christopher J. Ruwe" writes: > > > For setting the dafault hash used to hash /etc/master.passwd, it has > > been recommended changing md5 for something more secure in the > > sense of being more expensive to crack. > > > > The handbook describes the procedure used in > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. > > Allegedly, hashes which were hashed with one of the sha-functions > > begin with the character $6$. > > > > Afer having changed my /etc/login.conf accordingly and having reset > > the passwords, the given there is not md5 anymore (I have tried > > with md5), but does not begin with the character $6$, but, as md5, > > with $1$, which is supposed to be md5-hashed. > > I'm not following. Are you saying that you are resetting the passwords > after setting login.conf, but new passwords aren't being created with > the new hash type? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" Yes, you are following correctly that the hash mechanism did not appear to have changed. It was OSI-8 error on my part, as Mike Tancsa (one message later) helped me to understand. Cheers, -- Christopher J. Ruwe TZ: GMT + 2h signature.asc Description: PGP signature
Re: changing md5 hashed for sha
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/23/2012 9:37 AM, Christopher J. Ruwe wrote: > For setting the dafault hash used to hash /etc/master.passwd, it > has been recommended changing md5 for something more secure in the > sense of being more expensive to crack. > > The handbook describes the procedure used in > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. > > > Allegedly, hashes which were hashed with one of the sha-functions begin > with the character $6$. > > Afer having changed my /etc/login.conf accordingly and having > reset the passwords, the given there is not md5 anymore (I have > tried with md5), but does not begin with the character $6$, but, as > md5, with $1$, which is supposed to be md5-hashed. > > I fear I am a bit dense here, what am I getting wrong? Are you sure you ran cap_mkdb /etc/login.conf after adjusting the values in login.conf ? Also, this will only work on relatively recent versions of FreeBSD. ---Mike - -- - --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP551fAAoJEJXHwM2kc8rXS34H/j+uxWq8Pa9j0iXpehObx2iY LeeCZx7YbSv9AwGVHy/gTRtYP1uStBNn79oKV0ANSyjOT3F7l1MuygfJAqfXIKDm WdN4KX2D3tpAjVMdce1zX2rSy4OtXLYXpBXTiGmP2d/erAEtE9B8gJ8GQWDh0gWz 14CkQyefcF2YvmepSj3+9P69EzjlEm6vDMPyY/nrMlJcT8+ujtZX325+kQzQiiFX FFasbqekazHCUnKGZZY9arY01AxPKg5e2PXFZPQf3qQy3jHqOupnM3ei3D39O9aV gqJ/k2XDPjZYqAIy0gyPi99q4fCueYQFQrm2tyeTkV6+OxM8kdD5czx/FvySiG8= =FVSP -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: changing md5 hashed for sha
"Christopher J. Ruwe" writes: > For setting the dafault hash used to hash /etc/master.passwd, it has > been recommended changing md5 for something more secure in the sense of > being more expensive to crack. > > The handbook describes the procedure used in > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. > Allegedly, hashes which were hashed with one of the sha-functions begin > with the character $6$. > > Afer having changed my /etc/login.conf accordingly and having reset the > passwords, the given there is not md5 anymore (I have tried with md5), > but does not begin with the character $6$, but, as md5, with $1$, which > is supposed to be md5-hashed. I'm not following. Are you saying that you are resetting the passwords after setting login.conf, but new passwords aren't being created with the new hash type? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: changing md5 hashed for sha
On Jun 23, 2012, at 6:37 AM, Christopher J. Ruwe wrote: > For setting the dafault hash used to hash /etc/master.passwd, it has > been recommended changing md5 for something more secure in the sense of > being more expensive to crack. > > The handbook describes the procedure used in > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. > Allegedly, hashes which were hashed with one of the sha-functions begin > with the character $6$. > Unfortunately, it appears that login.conf is ignored by pw w/respect to group(5) passwords. Example Given: Setting passwd_format=blf in login.conf(5) followed by executing: echo newpass | sudo pw usermod SOMEUSER -h 0 sudo grep '^SOMEUSER:' /etc/master.passwd # shows Blowfish hash starting with $2a$, meanwhile… echo newpass | sudo pw groupmod SOMEGROUP -h 0 grep '^SOMEGROUP:' /etc/group # shows login.conf(5) was ignored and an old-style crypt password (2-letter salt; 8-character max password) :( -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: changing md5 hashed for sha
been recommended changing md5 for something more secure in the sense of being more expensive to crack. is md5 that easy to crack? It has been discussed recently, cf http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html or virtually the first half of http://lists.freebsd.org/pipermail/freebsd-security/2012-June/thread.html wasn't aware md5 is really risky. thanks. anyway - as long as someone don't actually get /etc/master.passwd it doesn't matter, it could be even plaintext here. If someone can get /etc/master.passwd then he/she most probably already got root priviledge :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: changing md5 hashed for sha
On Sat, 23 Jun 2012 15:40:51 +0200 (CEST) Wojciech Puchar wrote: > > For setting the dafault hash used to hash /etc/master.passwd, it has > > been recommended changing md5 for something more secure in the > > sense of being more expensive to crack. > > is md5 that easy to crack? It has been discussed recently, cf http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006271.html or virtually the first half of http://lists.freebsd.org/pipermail/freebsd-security/2012-June/thread.html Cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
Re: changing md5 hashed for sha
For setting the dafault hash used to hash /etc/master.passwd, it has been recommended changing md5 for something more secure in the sense of being more expensive to crack. is md5 that easy to crack? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
changing md5 hashed for sha
For setting the dafault hash used to hash /etc/master.passwd, it has been recommended changing md5 for something more secure in the sense of being more expensive to crack. The handbook describes the procedure used in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html. Allegedly, hashes which were hashed with one of the sha-functions begin with the character $6$. Afer having changed my /etc/login.conf accordingly and having reset the passwords, the given there is not md5 anymore (I have tried with md5), but does not begin with the character $6$, but, as md5, with $1$, which is supposed to be md5-hashed. I fear I am a bit dense here, what am I getting wrong? Thanks and cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature