[OpenIndiana-discuss] How to manage a send over ssh

[jason matthews]

On 3/23/17 2:56 PM, Timothy Coalson wrote:
> The main advantage with this way is that you don't leave root ssh exposed
> for people to try to break into, and the special user for receiving can't
> get higher privileges for anything other than "zfs".

With the notable exception that your unprivileged user can destroy your 
file systems :)

if you are worried about someone brute forcing your password use a 
strong password (at least 13 but i like 20 characters with normal 
entropy techniques).
edit /etc/security/policy.conf
find the line that reads CRYPT_DEFAULT= and set the value to 2a -- this 
will set the hash to Blowfish
optionally edit /etc/security/crypt.conf and edit the 2a line to read:
2a crypt_bsdf.so.1 rounds=16

You could use more rounds but this will increase the time it takes to 
validate the password. The upside is this should pretty much eliminate 
the possibility of someone cracking your passwords. Remember this, if it 
takes less than one second to login (on an idle system) whether it be 
shell or web, your passwords can probably be cracked easily. These 
settings should significantly reduce the chance of some GPU coming along 
and cracking your passwords. Blowfish cannot be implemented well on 
current GPUs.

When you are done, your hash should look something like this:
jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/8zWdCqO:17248::::::

If someone can crack this hash I will buy you a beer.

The the three characters of the hash identify it as blowfish, $2a, the 
next sequence $16, indicates i have configured sixteen rounds. I timed 
this so I happen to know it took seven CPU seconds to hash the password. 
Seven seconds should severely put a dent in the aspirations of anyone 
wanting to crack your shadow file.

j.