On Thu, Mar 23, 2017 at 6:19 PM, jason matthews <[email protected]> wrote:
> > > On 3/23/17 2:56 PM, Timothy Coalson wrote: > >> The main advantage with this way is that you don't leave root ssh exposed >> for people to try to break into, and the special user for receiving can't >> get higher privileges for anything other than "zfs". >> > > With the notable exception that your unprivileged user can destroy your > file systems :) > Well, yes, but fumble-fingering "pfexec zfs destroy -r <pool>/<filesystem>" as this user (and there being no holds on any snapshots) is less likely than fumble-fingering "rm -rf /" as root - not everything is about security from attackers ;) The main security feature is that the username is of your choosing, and not "root", while attempting ssh as "root" is a classic of casual attacks (and why it is disabled by default in the first place). This machine is behind a firewall anyway (it serves NFSv3, after all), or I would be taking more extreme measures... > if you are worried about someone brute forcing your password use a strong > password (at least 13 but i like 20 characters with normal entropy > techniques). > edit /etc/security/policy.conf > find the line that reads CRYPT_DEFAULT= and set the value to 2a -- this > will set the hash to Blowfish > optionally edit /etc/security/crypt.conf and edit the 2a line to read: > 2a crypt_bsdf.so.1 rounds=16 > > You could use more rounds but this will increase the time it takes to > validate the password. The upside is this should pretty much eliminate the > possibility of someone cracking your passwords. Remember this, if it takes > less than one second to login (on an idle system) whether it be shell or > web, your passwords can probably be cracked easily. These settings should > significantly reduce the chance of some GPU coming along and cracking your > passwords. Blowfish cannot be implemented well on current GPUs. > > When you are done, your hash should look something like this: > jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/ > 8zWdCqO:17248:::::: > > If someone can crack this hash I will buy you a beer. > There's some logic to why the shadow file isn't world-readable. You might want to reset that password soon anyway (if you haven't already), as the NSA may decide not to ask for that beer ;) > The the three characters of the hash identify it as blowfish, $2a, the > next sequence $16, indicates i have configured sixteen rounds. I timed this > so I happen to know it took seven CPU seconds to hash the password. Seven > seconds should severely put a dent in the aspirations of anyone wanting to > crack your shadow file. > > j. > > > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > https://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list [email protected] https://openindiana.org/mailman/listinfo/openindiana-discuss
