On 3/23/17 2:56 PM, Timothy Coalson wrote:
The main advantage with this way is that you don't leave root ssh exposed
for people to try to break into, and the special user for receiving can't
get higher privileges for anything other than "zfs".

With the notable exception that your unprivileged user can destroy your file systems :)

if you are worried about someone brute forcing your password use a strong password (at least 13 but i like 20 characters with normal entropy techniques).
edit /etc/security/policy.conf
find the line that reads CRYPT_DEFAULT= and set the value to 2a -- this will set the hash to Blowfish
optionally edit /etc/security/crypt.conf and edit the 2a line to read:
2a crypt_bsdf.so.1 rounds=16

You could use more rounds but this will increase the time it takes to validate the password. The upside is this should pretty much eliminate the possibility of someone cracking your passwords. Remember this, if it takes less than one second to login (on an idle system) whether it be shell or web, your passwords can probably be cracked easily. These settings should significantly reduce the chance of some GPU coming along and cracking your passwords. Blowfish cannot be implemented well on current GPUs.

When you are done, your hash should look something like this:
jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/8zWdCqO:17248::::::

If someone can crack this hash I will buy you a beer.

The the three characters of the hash identify it as blowfish, $2a, the next sequence $16, indicates i have configured sixteen rounds. I timed this so I happen to know it took seven CPU seconds to hash the password. Seven seconds should severely put a dent in the aspirations of anyone wanting to crack your shadow file.

j.


_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to