fatman
July 21st, 2004, 12:59
I'm getting ready to make my first jump into true server administration using a FreeBSD server and I was wondering: Is there a way to store passwords via 3DES encryption instead of MD5, DES, or Blowfish? I know the chance of anyone decrypting even DES passwords isn't too great, but I figure "why take the chance?" If I can make things a bit more secure and learn something in the process, that's a win-win situation. :D

bmw
July 21st, 2004, 14:34
DES is brute-force crackable in seconds on something as lowly as an iPod, so you are well advised to get away from it. But MD5 hashes are very secure, so why don't you just go with those? That's standard fare on FreeBSD.

molotov
July 22nd, 2004, 00:27
I prefer blowfish, but md5 aint shappy

fatman
July 22nd, 2004, 09:33
Works for me. I was just kind of wondering that since 3DES is workable why its not a defualt option. And also whether its an installable option.

But if they can get my password file, I've got other problems that need fixing before worrying about how the password was stored. :D

molotov
July 22nd, 2004, 15:00
hehe, try cracking blowfish sometime, it isnt trivial. I suppose we should haul in JT with his tinfoil hat to give a more definative responce on encryption

bmw
July 22nd, 2004, 16:28
Works for me. I was just kind of wondering that since 3DES is workable why its not a defualt option. And also whether its an installable option.

Not sure how it works for you. The choice of encryption is configured in login.conf. That manpage sez:

AUTHENTICATION
Name Type Notes Description

passwd_format string md5 The encryption format that new or
changed passwords will use. Valid
values include "des", "md5" and
"blf". NIS clients using a
non-FreeBSD NIS server should prob-
ably use "des".


So you can do DES (stock ancient UNIX), MD5 (which is standard FreeBSD secure choice) and Blowfish, which I think is compatible with OpenBSD's Blowfish choice but you need to try it.

molotov
July 22nd, 2004, 16:45
Don't forget /etc/auth.conf

bmw
July 22nd, 2004, 16:50
That's right: don't forget /etc/auth.conf ... because I did. :-)

fatman
July 23rd, 2004, 14:09
Not sure how it works for you.

Oh sorry.. I meant, that'll work for me... read: I'll just use MD5.