Freitag, Januar 01, 2010

Improving password security in Debian

Most readers probably have installed Debian version 5.0 (Lenny) or an older version and are using shadow passwords with the md5 hash algorithm. This is not bad but not good enough. You can find out the details by looking at /etc/passwd and /etc/shadow (as root). The second column in these files should be a simple character x in /etc/passwd and a string like

$1$biMft/Pr$Lo3zPpiItdLZrzx8t/mTy0
in /etc/shadow. The number 1 between the 1st and 2nd $ sign means md5, the following string biMft/Pr is the salt and the last string Lo3zPpiItdLZrzx8t/mTy0 is the actual hash for the password ('testmd5' in this case). The salt is used to avoid attacks based on precomputed hash tables.

The package pam has switched to the stronger sha512 algorithm in version 1.1.0-2 on 31st august 2009. Look for a line like
password        [success=1 default=ignore]      pam_unix.so obscure sha512
in file /etc/pam.d/common-password if you have installed at least version 1.1.0-2. After changing the password I have the new password string
$6$qjc5gFgK$vaz/gLKMyDuhsVOU2oVIkDZrD0.reJM.2Ft3CMEoAsjN/lenvHC2ls6g/MY1ZaYaYBP3HHDOxel1dvTerl17q1
in /etc/shadow. The number 6 means sha512 and the hash
vaz/gLKMyDuhsVOU2oVIkDZrD0.reJM.2Ft3CMEoAsjNlenvHC2ls6g/MY1ZaYaYBP3HHDOxel1dvTerl17q1
is much longer than before.

The pam_unix module in combination with the sha algorithms allows specifying the number of rounds for hashing the password with the argument rounds=... which defaults to 5000. My current machine needs about 20 milliseconds to hash my password. That can be tested with the command
/usr/bin/time -f %U su testmd5 -c true
I have changed the number to 1 million
password        [success=1 default=ignore]      pam_unix.so obscure sha512 rounds=1000000
to make brute force attacks more difficult. After changing the password again the string is
$6$rounds=1000000$Va4plzLi$EtixueZQ1ZQlzQa7eHHsG6UcNvu.EnuCqM79kIyUe82eAZ.JNegn4SBY1RduYlACs0RWLFHD4d//PzQXMsCqk0
with the number of rounds embedded. The su command needs 1.79 seconds now which is an acceptable delay for the login process considering the improved security.

Don't forget to change the root password too if you have set one.

Kommentare:

Minoru hat gesagt…

Hi!

In my opinion, this trick aimed on really paranoid guys :) Well, it can be used on servers, but I don't think desktop users really need such strong security measure.

By the way, you made little mistake at the beginning of the post - Lenny is 5.0, 4.0 was Etch.

With my best regards,
Minoru

Torsten Werner hat gesagt…

4.0 was a test to find out if my posts are read by someone at all! Thanks for your comment.

Joost hat gesagt…

http://packages.debian.org :

You have searched for filenames that contain testmd5 in suite sid, all sections, and all architectures

Joost hat gesagt…

Sorry, I meant to say that I (nor packages.debian.org) cannot find the testmd5 tool you mention.

Torsten Werner hat gesagt…

'testmd5' is not a tool, it is the username (and password) I have used for my tests. Just replace it with your own username.

wsxwhx668 hat gesagt…
Der Kommentar wurde von einem Blog-Administrator entfernt.
wurzeltrick hat gesagt…

Jetzt habe ich endlich meine Passwort-Sicherheit erhöhen und mich zugleich von pam-unix2 verabschieden können.

Vielan Dank für Ihren Beitrag.