published on in Featured Geekyness FreeBSD Password Hash Puppet SHA-512

puppet module to update freebsd passwd has

LinkedIn’s users database was leaked, and while passwords were not stored in plain text, they were hashed with the MD5 algorithm. Not salted, just hashed.

MD5 is no longer as secure as it once was, not with all of these GPU’s lying around.

Well, the FreeBSD community has not let this go unnoticed. First off, FreeBSD has defaulted to MD5 for a while, but it has had support for Blow-Fish, and (this is new to me) SHA-256 and SHA-512.

In a previous job role, I made sure FreeBSD systems post-install had this set. Today, I re-implemented that at Bay Photo to use the SHA-512 hash for local accounts (which to be honest, we never use).

puppet/environments/production/modules/bootstrap/manifests/password-hash.pp

    class bootstrap::passwd-hash inherits bootstrap {
     if $operatingsystem == "FreeBSD" {
       # force new login.conf to include sha512 password hash
       file { '/etc/login.conf':
         ensure  => present,
         owner   => root,
         group   => wheel,
         source  => "puppet:///bootstrap/$operatingsystem/login.conf",
       }
     
       # Update auth.conf with new password hash, so adduser
       #  picks up the changes.
       file { '/etc/auth.conf':
         ensure  => present,
         owner   => root,
         group   => wheel,
         source  => "puppet:///bootstrap/$operatingsystem/auth.conf",
       }
     
       # Rebuild the login.conf database after we push out
       #  the new login.conf
       exec { 'cap_mkdb':
         command     => "/usr/bin/cap_mkdb -f /etc/login.conf /etc/login.conf",
         subscribe   => File['/etc/login.conf'],
         refreshonly => true,
       }
     }
     
     else {
       #not supported yet...
     }
    }

login.conf

    default:\
            :passwd_format=sha512:\
            :copyright=/etc/COPYRIGHT:\
            :welcome=/etc/motd:\
            :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
            :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
            :nologin=/var/run/nologin:\
            :cputime=unlimited:\
            :datasize=unlimited:\
            :stacksize=unlimited:\
            :memorylocked=unlimited:\
            :memoryuse=unlimited:\
            :filesize=unlimited:\
            :coredumpsize=unlimited:\
            :openfiles=unlimited:\
            :maxproc=unlimited:\
            :sbsize=unlimited:\
            :vmemoryuse=unlimited:\
            :swapuse=unlimited:\
            :pseudoterminals=unlimited:\
            :priority=0:\
            :ignoretime@:\
            :umask=027:
     
    standard:\
            :tc=default:
    xuser:\
            :tc=default:
    staff:\
            :tc=default:
    daemon:\
            :tc=default:
    news:\
            :tc=default:
    dialer:\
            :tc=default:
     
    root:\
            :ignorenologin:\
            :tc=default:

auth.conf

    crypt_default   =       sha512 md5 des

Puppet run

 

    notice: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/login.conf]/content: 
    --- /etc/login.conf	2012-01-02 23:57:38.000000000 -0800
    +++ /tmp/puppet-file20120608-95623-n8m4v-0	2012-06-08 12:08:49.000000000 -0700
    @@ -23,7 +23,7 @@
     # AND SEMANTICS'' section of getcap(3) for more escape sequences).
     
     default:\
    -	:passwd_format=md5:\
    +	:passwd_format=sha512:\
     	:copyright=/etc/COPYRIGHT:\
     	:welcome=/etc/motd:\
     	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
    
    info: FileBucket adding {md5}5c122f7a3933da0c560bf3380176c194
    info: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/login.conf]: Filebucketed /etc/login.conf to puppet with sum 5c122f7a3933da0c560bf3380176c194
    notice: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/login.conf]/content: content changed '{md5}5c122f7a3933da0c560bf3380176c194' to '{md5}f6b84f0e06a3c575e7dc335ad40af8b3'
    info: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/login.conf]: Scheduling refresh of Exec[cap_mkdb]
    notice: /Stage[main]/Bootstrap::Passwd-hash/Exec[cap_mkdb]: Triggered 'refresh' from 1 events
    notice: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/auth.conf]/content: 
    --- /etc/auth.conf	2012-01-02 23:57:38.000000000 -0800
    +++ /tmp/puppet-file20120608-95623-1im1w83-0	2012-06-08 12:08:51.000000000 -0700
    @@ -5,4 +5,4 @@
     # gradually subsumed by user class and PAM configuration.
     #
     
    -# crypt_default	=	md5 des
    +crypt_default	=	sha512 md5 des
    
    info: FileBucket adding {md5}be1e823cd0f68551638cfe338bb5ba67
    info: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/auth.conf]: Filebucketed /etc/auth.conf to puppet with sum be1e823cd0f68551638cfe338bb5ba67
    notice: /Stage[main]/Bootstrap::Passwd-hash/File[/etc/auth.conf]/content: content changed '{md5}be1e823cd0f68551638cfe338bb5ba67' to '{md5}9067d1caa8aac19a0f971d61d6c40579'

End Results

Warning: This does not automatically convert your existing local accounts from a MD5 hash to SHA-512, you have to run the passwd command and reset your password(s).

What this does help with is when you first setup a FreeBSD system.

With that disclaimer, you’ll notice a difference in your password database:

MD5:

    
    some-user:$1$a2w8hSg7$_NOT_A_REAL_HASH_oePW.:10011:10011::0:0:Some User:/home/some-user:/bin/zsh
SHA-512:

    
    some-user:$6$8W1iKEMs1y_NOT_A_REAL_HASH_VVw7Fw59mQBNYeZPK8Mtr.UtXTDf7Q2TYy0CSx3h7n.yJDRdemLr72frmd84bMmPvvLCvB2/Xhj1:10011:10011::0:0:Some User:/home/some-user:/bin/zsh