DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Default Questions about encrypt local passwords

Questions about encrypt local passwords

I would like know which encryption method is used by 'auto'.

Encrypt local passwords using method of encryption as described in login.conf(5).
If method is ``auto'', the encryption type will be derived from the user's login class.

man 5 login.conf
Default allowed authentication styles:
auth-defaults:auth=password,skey

Does is means that by default passwords local stores using the system s / key ?

Which algorithm is used by system s/key the md4 or the md5?

Note:
For the moment I am using qemu for getting comfortable with openbsd.
Reply With Quote
  #2   (View Single Post)  
Old 2nd June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

From login.conf(5):
Code:
localcipher       string     blowfish,6   The cipher to use for local
                                               passwords.  Possible values
                                               are: ``old'',
                                               ``newsalt,<rounds>'', ``md5'',
                                               and ``blowfish,<rounds>'' where
                                               ``old'' means classic 56-bit
                                               DES.  For ``newsalt'' the value
                                               of rounds is a 24-bit integer
                                               with a minimum of 7250 rounds.
                                               For ``blowfish'' the value can
                                               be between 4 and 31.  It speci-
                                               fies the base 2 logarithm of
                                               the number of rounds.
The default installation /etc/login.conf file is set so that the default local cipher is "blowfish,6". The daemon class local cipher is set to "blowfish,8".

S/Key is a one-time-passphrase authentication system. For more information, see the man pages: skey(1), skeyinit(1), skeyinfo(1), skey(5), skeyaudit(1), skeyprune(1).

I have skey set up on one of my servers for ssh access from public-access computers. The one-time-passwords are useful in situations where public key encryption cannot be used. (Keyboard capture applications will not be able to take advantage of one-time-passphrases, but they could certainly acquire other information of the user is not careful on such computers.)
Reply With Quote
  #3   (View Single Post)  
Old 2nd June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Default

Thanks for the clarification.

But i have another question:
Quote:
Originally Posted by jggimi View Post
The default installation /etc/login.conf file is set so that the default local cipher is "blowfish,6". The daemon class local cipher is set to "blowfish,8".
Because this difference from 6 to 8?
In essence, by default, is assigned a more robust encoding in the case of execution of demons and slightly less for passwords?
Reply With Quote
  #4   (View Single Post)  
Old 2nd June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The daemon class is used by /etc/rc and root.

I do not know the reason for the different number of rounds, I could only guess it is for performance. You're welcome to change ciphers, or change the number of rounds, as you wish. The encrypted passwords are stored in /etc/master.passwd which requires root access. (If root is compromised, passwords won't matter anyway.)

There was a thread in the misc@ archives from December 2005, about the blowfish cipher and it's use. The thread also discusses other cipher technologies, including MD5.

It starts here:

http://marc.info/?l=openbsd-misc&m=113588769128789&w=2
Reply With Quote
  #5   (View Single Post)  
Old 2nd June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

According to Wikipedia, blowfish is considerably resource intensive.. which makes brute force attacks especially hard.

I trust the OpenBSD developers have done us justice.. still, pick a long alpha-numeric password.. 20/30 characters in length if you're memorization skills are well honed.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Generating passwords with jot(1) J65nko Guides 9 29th August 2014 01:03 PM
Easiest Way to Encrypt /tmp Oko OpenBSD Security 4 16th April 2009 08:13 PM
local dns (dnsmasq) bsdperson FreeBSD Ports and Packages 3 3rd September 2008 06:48 AM
proxy : replace gif with local gif milo974 OpenBSD General 4 17th July 2008 06:45 AM
Generating random passwords on FreeBSD erno Guides 3 8th May 2008 08:44 AM


All times are GMT. The time now is 03:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick