[OpenIndiana-discuss] How to manage a send over ssh

Fri Mar 24 04:09:04 UTC 2017

On 2017-03-23 05:35 PM, jason matthews wrote:
>
>
> On 3/23/17 4:49 PM, Timothy Coalson wrote:
>>> When you are done, your hash should look something like this:
>>> jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/
>>> 8zWdCqO:17248::::::
>>>
>>> If someone can crack this hash I will buy you a beer.
>>>
>> There's some logic to why the shadow file isn't world-readable. You 
>> might
>> want to reset that password soon anyway (if you haven't already), as the
>> NSA may decide not to ask for that beer;)
>>
>>
> First let me assure you, the NSA is not coming in with a password. 
> They might come in through the Intel ME or perhaps through the service 
> processor (Apple recently dumped Supermicro as a vendor due to malware 
> embedded in their service processor firmware updates) but they are not 
> coming with a password. They may even come in with one of highly 
> bloated BIOS's. There are easier ways than to try break a 39 character 
> password blowfish hashed password with sixteen rounds.
>
> Hashes used to be left out in the open. The real world circumstances 
> behind concealing hashes and the creation of /etc/shadow date back to 
> the 70's where unix crypt was pretty much unbreakable with the compute 
> power available at the time. When the late 80s and early 90s rolled 
> around suddenly it was possible to calculate hashes fast enough to 
> crack dictionary words. We are well beyond that now. I have three 
> GTX1080 capable of doing 8+ billion hashes per second each for SHA1 
> (assuming a small number of target hashes). The name of the game is to 
> make hashing take a long long time. Since it takes seven CPU seconds 
> for password(1) on an L5630 to compute just one iteration of my 
> thirty-nine character password I am going to bet that it is pretty 
> safe out in the open, unless someone finds a new attack vector against 
> blowfish. In this event, they'll probably get more than a beer from 
> Bruce. The best case scenario is if I only used lower case which means 
> the number of possibilities is limited to 26^39 or (according to echo 
> 26^39 |bc) 15274273784216769021564085930704478424313742483024510976 
> possibilities. Each possibility takes seven seconds. I think my beer 
> money is safe.
>
> While the hash is real, it was for demonstration purposes only. I dont 
> actually use that in a shadow file. Still, show me the plain text and 
> the beer is yours.

If we are worried about security.....

Create a separate user that has no shell.

Give that user just the necessary zfs permissions.

Create a batch file that the user can execute, set the zfs recv command 
as the only command that can be remotely executed in the batch file.

make it so that user can only login from a specific IP address.

set no-port-forwarding,no-X11-forwarding,no-agent-forwarding.

Geoff