Using Blowfish and key based SSH

xoanan

New member
Joined
May 18, 2004
Messages
4
Location
Fairfax, VA
Hi all,
We're running FreeBSD and pre-DA setup I hardened the system to our normal specs, custom kernel, etc etc. I did refrain from setting up firewalling to start, figured to add that later. However I'm running into a bit of a problem...

We require keys for SSH which is no big deal since I don't think we're going to let end-users log into the system that way, however, we also have updated our system to use Blowfish for encrypting passwords. So, we run into this:

Creating users / admins / resellers is just fine, but if you use the "Change Password" feature in any of the DA screens, the account no longer works. I'm guessing the passwords are not being generated by the BSD utilities since they work fine from a prompt... is there a patch/fix for this?

Thanks in advance,

Xoanan aka Chris
 
Hello,

DA uses the "crypt" function to set the passwords.

For FreeBSD, it uses:

/usr/bin/chpass -p CRYPTEDPASS username

since the CRYPTEDPASS is generated through DA, it might not work if you change it. Not to mention that DA uses the same file for password checking (crypt again) so changing the format might prevent a password match when logging into DA.

John
 
Ok, thanks for the quick reply on that. That pretty much means that we can't use your product for any of our federal customers since we need to run hardened servers and for both xBSD and Linux varients that means using blowfish or better password encryption throughout.

As a suggestion it would seem that you could (probably should) use PAM for all your password management anyways, that way whatever a sysadmin wants to use (Blowfish/DES/AES) including future methods would just work.

One cool thing is that ProFTPD already has PAM support built-in. :)

A quick overview of PAM is at:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/use-pam.html

Perl PAM Library (probably at CPAN too):
http://www.cs.kuleuven.ac.be/~pelov/pam/

And a developers guide for Linux:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html

Of course as a develper I understand that isn't a small change to consider, but in the long run it's something to consider as security is only going to be a greater concern as things progress.

Chris
 
Hi,

Has this changed lately? I'm having the same problem with blowfish + DA :(

What do I need to change it back to? md5?

Matt
 
I experienced the same problems as well. You'll need to use the "crypt" function for passwords.

It would be good if DA could support Blowfish in the future. It is certainly more secure.
 
This brings the same kind of problems with php scripts when you migrate between servers iff the script is simply using the crypt() function. It's not using the same encryption on every server.
 
John replied and has added it to the todo list but as low priority, so to keep my directadmin fully functional I will be switching my servers back.

Here is the procedure.

Login via ssh to your server and su to root if not root.

Open /etc/login.conf with your favourite editor.

Look for this line. (near the top)

:passwd_format=blf:\

change to

:passwd_format=md5:\

and save your changes.

then run 'cap_mkdb /etc/login.conf' in your shell which should adapt the login database to your changes.

now open /etc/auth.conf in youir editor.

make sure md5 is listed in this line

crypt_default=blf md5 des

and save.

now you dont need to the next step but if you want your passwords to be switched to md5 immediatly then either run passwd <user> in the shell to change the password (change to same and it will update the user db with md5 encryption of same password) or you can change it inside directadmin.

There is another option for more advanced user's you can use md5 for directadmin accounts and blf for shell only accounts such as the root account, you can do this by putting root into its own login class and setting blf for that class in login.conf, I might provide a guide later in this thread if enough people want to do this.
 
I would be interested in this group thing. I'm the only one with shell access, so I could add my own usernames to that blf group and let regular user manage their password from the cp using md5.
 
Hi I will do a guide this weekend if I get time, but I want to test it before I publish the guide incase it dont work out right. I have yet to mix different password encryptions in login.conf on one server and so want to test first.
 
I have been able to succesfully use blowfish encryption on a FreeBSD 4.9 machine. After setting the appropriate configuration files, it was necessary to reset the passwords using passwd for each account, but once that was done there were no further problems.
 
AbsurdDoctor: Yes, but if you try changing a password from DA, it'll break. Other functions may be affected too.

Matt
 
Ahh, yes. Its possible to again change their password with passwd each time, but that will quickly become a nuisance on anything with more than a few users.
 
Back
Top