OpenBSD login.conf

OpenBSD, in a well-placed paranoiac departure from the limitations of DES-based encryption, includes the algorithm used only for compatibility with other Unix systems. System administrators have the choice of multiround DES, MD5 encryption, and Blowfish. We’ve already mentioned that one benefit of MD5 encryption is the ability to use passwords of arbitrary length. Blowfish, developed by Bruce Schneier and peers, also accepts passwords of arbitrary length. It also boasts the advantage of being relatively slow. This might sound counterintuitive, but we’ll explain why later in the “John the Ripper” section.

Implementation

OpenBSD does not use a PAM architecture, but it still maintains robust password management. The /etc/login.conf file contains directives for the encryption algorithms and controls that users on the system must follow. The entries in the login.conf file contain more instructions about user requirements than just password policies. The options explained here should be appended to existing options. The first value of each entry corresponds to a type of login class specified for users. It has a special entry of “default” for users without a class.

To determine the login class of a user, or to specify a user’s class, open the /etc/ master .passwd file with the vipw utility. The login class is the fifth field in a user’s password entry. Here’s an example, showing the login classes in boldface:

root:$2a$06$T22wQ2dH...:0:0:daemon:0:0:Fede:/root:/bin/csh bisk:$2a$06$T22wQ2dH...:0:0:staff:0:0::/home/bisk:/bin/csh 

Partial entries in the login.conf file might contain the following (the \ character represents a line continuation in this code):

default:\ :path=/usr/bin:\        :umask=027:\        :localcipher=blowfish,6 staff:\        :path=/usr/sbin:\        :umask=077:\        :localcipher=blowfish,8 daemon:\        :path=/usr/sbin:\        :umask=077:\        :localcipher=blowfish,8

This instructs the system to use the Blowfish algorithm for every user. The ,6 and ,8 indicate the number of rounds through which the algorithm passes. This slows the algorithm because it must take more time to encrypt the password. If a password takes longer to encrypt, it will also take more time to brute force. For example, it takes much longer to go through a dictionary of 100,000 words if you use 32 rounds (localcipher= blowfish,32) of the algorithm as opposed to six rounds.

The most important entries of the login.conf file are default, because it applies to all users, and daemon, because it applies to the root user.

Each entry can have multiple options:

• localcipher=algorithm   Default = old. This defines the encryption algorithm to use. The best options are md5 and blowfish,N where N is the number of rounds to use (N < 32). The “old” value represents DES and should be avoided because passwords cannot be longer than eight characters, and current password crackers work very efficiently against this algorithm.

• ypcipher=algorithm   Same values as localcipher. This is used for compatibility with a Network Information System (NIS) distributed login.

• minpasswordlen=N   Default = 6. The minimum acceptable password length.

• passwordcheck=program   Specifies an external password-checking program. This should be used with care because the external program could be subject to Trojans, errors, or buffer overflows.

• passwordtries=N   Default = 3. The number of times to prompt the user for a new password if the previous password did not meet OpenBSD standards. A user can still bypass the standards unless this value is set to 0.

An updated login.conf file would contain the following (the ftpaccess class is purposefully weak for this example):

default:\ :path=/usr/bin:\        :umask=027:\        :localcipher=blowfish,8:\        :minpasswordlen=8:\        :passwordretries=0 ftpaccess:\        :path=/ftp/bin:\        :umask=777:\        :localcipher=old:\        :minpasswordlen=6:\        :passwordretries=3 staff:\        :path=/usr/sbin:\        :umask=077:\        :localcipher=blowfish,12:\        :minpasswordlen=8:\        :passwordretries=0 daemon:\        :path=/usr/sbin:\        :umask=077:\        :localcipher=blowfish,31

The policy specified by this file requires the Blowfish algorithm for all users, except those in the ftpaccess class. The password policy for the ftpaccess class represents the requirements of old-school Unix systems as noted by the reference to old:. The passwords for users in the staff class, a class commonly associated with administrative privileges, are encrypted with 12 rounds. The root password, by default a member of daemon, must be encrypted with the maximum number of Blowfish rounds. Although the Blowfish and MD5 algorithms support an arbitrary password length, OpenBSD currently limits this to 128 characters. That’s enough for a short poem!