Hi all, Following the 'a' -> 'b' default Blowfish hash change[0], some examples got updated[1], while others remained with the older minor 'a'.
Diffs below bring the remaining ones up to date. I had also increased the rounds from old default of 6 to current 8 (where appropriate) and brought a couple of example command lines closer to 80-character mark. [0] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/bcrypt.c.diff?r1=1.40&r2=1.41 [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/crypt/crypt.3.diff?r1=1.35&r2=1.36 Regards, Raf Changes to 'src': Index: share/man/man8/autoinstall.8 =================================================================== RCS file: /cvs/src/share/man/man8/autoinstall.8,v retrieving revision 1.11 diff -u -p -r1.11 autoinstall.8 --- share/man/man8/autoinstall.8 23 Oct 2014 21:33:21 -0000 1.11 +++ share/man/man8/autoinstall.8 20 Mar 2015 21:58:09 -0000 @@ -152,7 +152,7 @@ A typical file will look something like this: .Bd -literal -offset indent System hostname = server1 -Password for root = $2a$14$Z4xRMg8vDpgYH...GVot3ySoj8yby +Password for root = $2b$14$o8GT1EPT3YMNC...lB91R.MmlNkhS Change the default console to com0 = yes Which speed should com0 use = 19200 Setup a user = puffy Index: usr.bin/ssh/auth.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.110 diff -u -p -r1.110 auth.c --- usr.bin/ssh/auth.c 25 Feb 2015 17:29:38 -0000 1.110 +++ usr.bin/ssh/auth.c 20 Mar 2015 21:58:21 -0000 @@ -631,7 +631,7 @@ fakepw(void) memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = - "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; + "$2b$08$j3YTnoPe4yrFjUroXF4DxewuBlvOGEqx0rn0l48MZac28bmDQNi26"; fake.pw_gecos = "NOUSER"; fake.pw_uid = (uid_t)-1; fake.pw_gid = (gid_t)-1; Index: usr.sbin/adduser/adduser.8 =================================================================== RCS file: /cvs/src/usr.sbin/adduser/adduser.8,v retrieving revision 1.43 diff -u -p -r1.43 adduser.8 --- usr.sbin/adduser/adduser.8 1 Oct 2014 09:56:36 -0000 1.43 +++ usr.sbin/adduser/adduser.8 20 Mar 2015 21:58:23 -0000 @@ -373,7 +373,7 @@ The password has been created using .Xr encrypt 1 : .Bd -literal -offset indent # adduser -batch falken guest,staff,beer 'Prof. Falken' \e - $2a$06$1Sdjxjoxg4cNmT6zAxriGOLgdLXQ3HdJ2dKBbzEk68jSrO1EtLJ3C + $2b$08$/lZQzXHzMBB1gwpIyC/5OOMyWfEvqdORroEA9/kwmoEgyOCLLd5fm .Ed .Pp Create user Index: usr.sbin/smtpd/table.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/table.5,v retrieving revision 1.4 diff -u -p -r1.4 table.5 --- usr.sbin/smtpd/table.5 4 Feb 2014 16:32:36 -0000 1.4 +++ usr.sbin/smtpd/table.5 20 Mar 2015 21:58:26 -0000 @@ -131,8 +131,8 @@ accept for any relay tls+auth://label@ho In a listener context, the credentials are a mapping of username and encrypted passwords: .Bd -literal -offset indent -user1 $2a$06$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe -user2 $2a$06$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK +user1 $2b$08$fANRrzRweP9I5.wGoj4AfuYU7AHI7y.0PJw6L5pPPDAu2oTRfXv76 +user2 $2b$08$prHIlrDk19rmQr.GekyXUuLIMm0mkkjDhVTSioXxnXZHyiqP7oWc2 .Ed .Pp The passwords are to be encrypted using the and to 'www': Index: faq/faq10.html =================================================================== RCS file: /cvs/www/faq/faq10.html,v retrieving revision 1.192 diff -u -p -r1.192 faq10.html --- faq/faq10.html 13 Jan 2015 01:07:40 -0000 1.192 +++ faq/faq10.html 20 Mar 2015 22:53:06 -0000 @@ -422,7 +422,7 @@ not to remove the user's home directory. Enter login name for user to remove: <b>testuser</b> Matching password entry: -testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002 +testuser:$2b$08$8YOnrz5IEssA1YBogoJafevLJZ7VXnNB192NIxVXE5Buc4k0sumde:1002 :31::0:0:Test FAQ User:/home/testuser:/bin/ksh Is this the entry you wish to remove? <b>y</b> @@ -493,14 +493,14 @@ Importantly, the passwords must be encry <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=encrypt&sektion=1";>encrypt(1)</a> utility. For example: OpenBSD's passwords by default use the Blowfish -algorithm for 6 rounds. +algorithm for 8 rounds. Here is an example to create an encrypted password to give to useradd(8). <blockquote><pre> -$ <b>encrypt -p -b 6</b> +$ <b>encrypt -p -b 8</b> Enter string: -$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq +$2b$08$Uf4MnIxIS2YahDJxsW0xtun2HUTwRp4vxcaGvoHPpzDIMBg9d0ZK2 </pre></blockquote> <p> @@ -509,8 +509,8 @@ We will add the same user with the same we added <a href="#adduser">above</a>, via adduser(8). <blockquote><pre> -# <b>user add -p '$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq' -u 1002 \ --s /bin/ksh -c "Test FAQ User" -m -g guest testuser</b> +# <b>user add -p '$2b$08$Uf4MnIxIS2YahDJxsW0xtun2HUTwRp4vxcaGvoHPpzDIMBg9d0ZK2' \ +-u 1002 -s /bin/ksh -c "Test FAQ User" -m -g guest testuser</b> </pre></blockquote> <p> Index: faq/obsd-faq.txt =================================================================== RCS file: /cvs/www/faq/obsd-faq.txt,v retrieving revision 1.38 diff -u -p -r1.38 obsd-faq.txt --- faq/obsd-faq.txt 1 Mar 2015 02:36:59 -0000 1.38 +++ faq/obsd-faq.txt 20 Mar 2015 22:53:07 -0000 @@ -8287,7 +8287,7 @@ or not to remove the user's home directo Enter login name for user to remove: testuser Matching password entry: - testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002 + testuser:$2b$08$8YOnrz5IEssA1YBogoJafevLJZ7VXnNB192NIxVXE5Buc4k0sumde:1002 :31::0:0:Test FAQ User:/home/testuser:/bin/ksh Is this the entry you wish to remove? y @@ -8340,19 +8340,19 @@ line options. For example, we want the u not users. One more little hurdle with adding users, is that passwords must be specified on the command line. Importantly, the passwords must be encrypted, so you need to use the encrypt(1) utility. For example: OpenBSD's passwords by -default use the Blowfish algorithm for 6 rounds. Here is an example to create +default use the Blowfish algorithm for 8 rounds. Here is an example to create an encrypted password to give to useradd(8). - $ encrypt -p -b 6 + $ encrypt -p -b 8 Enter string: - $2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq + $2b$08$Uf4MnIxIS2YahDJxsW0xtun2HUTwRp4vxcaGvoHPpzDIMBg9d0ZK2 Now that we have an encrypted password, we are ready to add the user. We will add the same user with the same specifications as the user we added above, via adduser(8). - # user add -p '$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq' -u 1002 \ - -s /bin/ksh -c "Test FAQ User" -m -g guest testuser + # user add -p '$2b$08$Uf4MnIxIS2YahDJxsW0xtun2HUTwRp4vxcaGvoHPpzDIMBg9d0ZK2' \ + -u 1002 -s /bin/ksh -c "Test FAQ User" -m -g guest testuser Note: Make sure to use ' ' (single quotes) around the password string, not " " (double quotes) as the shell will interpret these before sending it to user Index: opensmtpd/table.5.html =================================================================== RCS file: /cvs/www/opensmtpd/table.5.html,v retrieving revision 1.1 diff -u -p -r1.1 table.5.html --- opensmtpd/table.5.html 6 Dec 2013 10:57:39 -0000 1.1 +++ opensmtpd/table.5.html 20 Mar 2015 22:53:07 -0000 @@ -88,8 +88,8 @@ accept for any relay tls+auth://label@ho <p> In a listener context, the credentials are a mapping of username and encrypted passwords:<p> <pre style="margin-left: 5.00ex;" class="lit display"> -user1 $2a$06$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe -user2 $2a$06$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK</pre> +user1 $2b$08$fANRrzRweP9I5.wGoj4AfuYU7AHI7y.0PJw6L5pPPDAu2oTRfXv76 +user2 $2b$08$prHIlrDk19rmQr.GekyXUuLIMm0mkkjDhVTSioXxnXZHyiqP7oWc2</pre> <p> The passwords are to be encrypted using the <a class="link-man">smtpctl(8)</a> encrypt subcommand.<p> In a relay context, the credentials are a mapping of labels and username:password pairs, where the username may be omitted if identical to the label:<p>
