My friend and fellow FreeBSD enthusiast Derek Marcotte recently pointed out that
FreeBSD has no easy way to set the logarithmic rounds for bcrypt password
hashes. Doing so is trivial in OpenBSD, and considering the capabilities of
current GPU attacks, I want this functionality.
This issue was raised over eight years ago in kern/75934 by Steven Alexander
Jr., who included a patch to add this feature. Unfortunately, this seems to
have been completely overlooked, and there were no public responses to this PR.
I commissioned Derek to come up with a solution by either updating Steven's
patch or by devising a new method. To paraphrase Derek's comments:
-----BEGIN PARAPHRASIS-----
I did some research into what other *BSDs are doing. OpenBSD and NetBSD use the
algorithm name, a comma, and then the number of rounds:
http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf&sektion=5
localcipher=blowfish,6
http://netbsd.gw.com/cgi-bin/man-cgi?passwd.conf+5+NetBSD-current
localcipher=blowfish,6
To me, this isn't a good way to do it because we'd need special rules to
parse this extra field out of the previously unstructured data. This parsing
would be algorithm dependant.
Everyone knows about modular crypt, so why not feed the modular crypt salt
string as the parameter directly? Instead of messing with different names, give
the power to the system admin to control this directly, so when crypt is
updated, pam_unix can take advantage. Each implementation of crypt algorithms
already includes parsing of the salt magic.
I found that patching pam_unix was the least invasive way to handle configurable
hashes for login. I've added a passwd_modular parameter that will supersede
passwd_format when defined. passwd_modular will feed directly into crypt, so
any options that are passed to crypt via the salt are immediately available for
use in the master.passwd file. For example:
:passwd_modular=$2a$11$:\
Now you can also set the rounds for sha512:
:passwd_modular=$6$rounds=1000000$:\
To disable passwd_modular and revert to passwd_format:
:passwd_modular=disabled:\
This also lets admins shoot themselves in the foot by supplying invalid or bad
salts. For example:
:passwd_modular=$1$constantsalt:\
I had considered setting a second variable like ":passwd_param=8:\",
but then you really have to mess with crypt to make it work. I think it would
be a much more invasive change, and unnecessary, providing the documentation for
login.conf is brought up to date.
FreeBSD 8.* doesn't have access to the SHA family of hashes. If this is
merged back into 8, it will give much stronger password security when using
$2a$08$ (or higher) than is currently available.
bcrypt is preferable to sha512 because of its resilience to current GPU attacks.
This is expected to change. Hopefully, my patch will lay some groundwork to
incorporate scrypt.
-----END PARAPHRASIS-----
I've attached a copy of Derek's patches for the FreeBSD 9-STABLE
versions of pam_unix and the login.conf man page. These may have to be adjusted
for HEAD.
I really like Derek's solution. It's working perfectly for bcrypt on my
own network, and I'm planning to distribute it to the hundreds of FreeBSD
servers that I am responsible for maintaining. In my opinion, committing
Derek's patches will allow kern/75934 to be closed.
--
A.J. Kehoe IV (Nanoman) | /"\ ASCII Ribbon Campaign
Nanoman's Company | \ / - No HTML/RTF in E-mail
E-mail: nanoman at nanoman.ca | X - No proprietary attachments
WWW: http://www.nanoman.ca/ | / \ - Respect for open standards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_unix.c.patch
Type: text/x-diff
Size: 2537 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login.conf.5.patch
Type: text/x-diff
Size: 1012 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3924 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130707/b79cfd0f/attachment.bin>