Hack 29 Protecting Passwords With Blowfish Hashes
|
Take these simple steps to thwart password crackers. All good administrators know that passwords can be a weak link in the security chain. A malicious and determined user armed with a password cracker could conceivably guess enough of your network's passwords to access unauthorized resources. 3.7.1 Protecting System Passwords in GeneralFortunately, you can make a password cracker's life very difficult in several ways. First, educate your users to choose complex, hard-to-guess passwords that are meaningful enough for them to remember. This will thwart dictionary password crackers [Hack #30], which use lists of dictionary and easy-to-guess words. Second, be aware of who has superuser privileges and who has the right to backup /etc. This directory contains the two password databases that are required to run a brute-force password cracker. As the name implies, this type of cracker will eventually guess every password in your password databases as it systematically tries every possible keyboard combination. Your best protection from this type of cracker is to prevent access to those password databases. This includes locking up your backup tapes and monitoring their access. It is also a good idea to increase the amount of time it would take a brute-force cracker to crack a password database. FreeBSD, like most Unix systems, adds a magic bit of randomness known as a salt to the password when it is stored in the password database. The upshot is that a password cracker may have to try up to 4,096 different combinations for each and every password it tries to guess. Using a strong algorithm to protect your passwords can also slow down a brute-force cracker. FreeBSD supports a hard-to-crack algorithm known as Blowfish. One of the first things I do after a FreeBSD install is to configure the password database to use Blowfish. While it is easier to do this before you create your users, it is still worth your while to implement it after you've created your user accounts. 3.7.2 Protecting System Passwords with BlowfishTo use Blowfish, start by opening up /etc/login.conf in your favorite editor. Look for this line: :passwd_format=md5:\ Carefully edit it so it looks like this: :passwd_format=blf:\ Check for typos before saving your change. You may have noticed this comment when you modified /etc/login.conf: # Remember to rebuild the database after each change to this file: # # cap_mkdb /etc/login.conf # Let's take a closer look at what we're being asked to do. According to that comment, login.conf is more than a configuration file, it is a database. Not only that, it is a capability database, a database that supports different capabilities. That is the reason behind the weird syntax within login.conf. Whenever you edit a capability database, you have to use the cap_mkdb command to integrate your changes within the database. So, follow the directions: # cap_mkdb /etc/login.conf 3.7.2.1 Converting existing passwordsIf you have any existing users, you need to convert their passwords from MD5 to Blowfish. This is why it's a good idea to make the change before you create your users. If you've already created users, it's back to the password database to find all of the active accounts. Inactive accounts accounts that don't allow logins have the * character instead of an encrypted password. Since we want to find all of the lines in the password database that do not contain an asterisk, we need an inverted grep: # grep -v '*' /etc/master.passwd root:$1$ywXbyPT/$GC8tXN91c.lsKRpLZori61:0:0::0:0:Charlie &:/root:/bin/csh dru:$1$GFm1nh6I$jh3v4I.QNf450ARgltZU5.:1008:0::0:0:User &:/home/dru:/bin/csh Well, that worked, but we could make the output look much prettier: # grep -v '*' /etc/master.passwd | cut -d ':' -f 1 root dru Let's pick apart that command syntax. grep -v creates a reverse filter. In effect, it says, "Show me the lines in /etc/master.passwd that do not contain an *." Since those lines are long and contain much more than just the username, I piped the output to the cut utility to literally cut out the portions I don't need to see. Notice that the usernames are the very first thing in each line, and they are always followed by the : field separator. -d tells cut to consider the colon character, not the tab character, as the separator. -f 1 tells cut that I'm interested in the very first field of that line. It looks like my particular system has two active accounts: root and dru. Notice in the original output the long sequence of characters that starts with $1 and ends with :. No, my users' passwords aren't quite that complex. Rather, you're seeing the password after it's been encrypted by the MD5 algorithm. That $1 means MD5. It'll be $2 after we switch to Blowfish encryption. (Be aware that you can't edit the file directly; the entire password must be changed.) I'll now change those two passwords: # passwd dru Changing local password for dru New Password: Retype New Password: # passwd Changing local password for root New Password: Retype New Password: Note that the superuser can change any user's password by specifying the appropriate username. If you don't specify a name, you will instead change the root password. When you're finished, repeat the original grep -v command and double-check that all of the encrypted passwords now start with $2.
3.7.2.2 Forcing new passwords to use BlowfishFinally, configure the adduser utility to use Blowfish whenever you create a new user by editing /etc/auth.conf. Look for this line: # crypt_default = md5 des and carefully change it to: crypt_default = blf Once you've saved your change, test it by creating a new user. The easiest way to do this is to type adduser and follow the prompts. 3.7.3 See Also
|
