Questions about encrypt local passwords

[aleunix]

Questions about encrypt local passwords

I would like know which encryption method is used by 'auto'.

Encrypt local passwords using method of encryption as described in login.conf(5).
If method is ``auto'', the encryption type will be derived from the user's login class.

man 5 login.conf
Default allowed authentication styles:
auth-defaults:auth=password,skey

Does is means that by default passwords local stores using the system s / key ?

Which algorithm is used by system s/key the md4 or the md5?

Note:
For the moment I am using qemu for getting comfortable with openbsd.

[jggimi]

From login.conf(5):

Code:

localcipher       string     blowfish,6   The cipher to use for local
                                               passwords.  Possible values
                                               are: ``old'',
                                               ``newsalt,<rounds>'', ``md5'',
                                               and ``blowfish,<rounds>'' where
                                               ``old'' means classic 56-bit
                                               DES.  For ``newsalt'' the value
                                               of rounds is a 24-bit integer
                                               with a minimum of 7250 rounds.
                                               For ``blowfish'' the value can
                                               be between 4 and 31.  It speci-
                                               fies the base 2 logarithm of
                                               the number of rounds.

The default installation /etc/login.conf file is set so that the default local cipher is "blowfish,6". The daemon class local cipher is set to "blowfish,8".

S/Key is a one-time-passphrase authentication system. For more information, see the man pages: skey(1), skeyinit(1), skeyinfo(1), skey(5), skeyaudit(1), skeyprune(1).

I have skey set up on one of my servers for ssh access from public-access computers. The one-time-passwords are useful in situations where public key encryption cannot be used. (Keyboard capture applications will not be able to take advantage of one-time-passphrases, but they could certainly acquire other information of the user is not careful on such computers.)

[aleunix]

Thanks for the clarification.

But i have another question:

Quote:

Originally Posted by jggimi

The default installation /etc/login.conf file is set so that the default local cipher is "blowfish,6". The daemon class local cipher is set to "blowfish,8".

Because this difference from 6 to 8?
In essence, by default, is assigned a more robust encoding in the case of execution of demons and slightly less for passwords?

[jggimi]

The daemon class is used by /etc/rc and root.

I do not know the reason for the different number of rounds, I could only guess it is for performance. You're welcome to change ciphers, or change the number of rounds, as you wish. The encrypted passwords are stored in /etc/master.passwd which requires root access. (If root is compromised, passwords won't matter anyway.)

There was a thread in the misc@ archives from December 2005, about the blowfish cipher and it's use. The thread also discusses other cipher technologies, including MD5.

It starts here:

http://marc.info/?l=openbsd-misc&m=113588769128789&w=2

[BSDfan666]

According to Wikipedia, blowfish is considerably resource intensive.. which makes brute force attacks especially hard.

I trust the OpenBSD developers have done us justice.. still, pick a long alpha-numeric password.. 20/30 characters in length if you're memorization skills are well honed.