From 957be44dcca09f50936cb0deb260fe975d4f0b11 Mon Sep 17 00:00:00 2001 From: Peter Powell Date: Fri, 9 Sep 2016 10:20:16 +0100 Subject: [PATCH] Update documentation for password hashing. - Follow best current practises by using bcrypt almost everywhere in the example configuration files. - Document the existence of new hashing modules in master. --- docs/conf/inspircd.conf.example | 14 ++++++++------ docs/conf/modules.conf.example | 18 ++++++++++-------- docs/conf/opers.conf.example | 13 +++++++------ 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/docs/conf/inspircd.conf.example b/docs/conf/inspircd.conf.example index d56ac55ac..db7c069bb 100644 --- a/docs/conf/inspircd.conf.example +++ b/docs/conf/inspircd.conf.example @@ -255,12 +255,14 @@ # allow: What IP addresses/hosts to allow for this block. allow="203.0.113.*" - # hash: what hash this password is hashed with. requires the module - # for selected hash (md5, sha256 or ripemd160) be loaded and the - # password hashing module (password_hash) loaded. - # Optional, but recommended. Create hashed passwords with: - # /mkpasswd - #hash="sha256" + # hash: the hash function this password is hashed with. Requires the + # module for the selected function (bcrypt, md5, sha1, sha256, or + # ripemd160) and the password hashing module (password_hash) to be + # loaded. + # You may also use any of the above other than bcrypt prefixed with + # either "hmac-" or "pbkdf2-hmac-" (requires the pbkdf2 module). + # Create hashed passwords with: /mkpasswd + #hash="bcrypt" # password: Password to use for this block/user(s) password="secret" diff --git a/docs/conf/modules.conf.example b/docs/conf/modules.conf.example index 8d5251aec..4352b0a09 100644 --- a/docs/conf/modules.conf.example +++ b/docs/conf/modules.conf.example @@ -653,7 +653,7 @@ # # #<title name="bar" password="foo" host="ident@test.org" title="Official Chat Helper" vhost="helper.test.org"> -#<title name="foo" password="fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9" hash="sha256" title="Official Chat Helper"> +#<title name="foo" password="$2a$10$UYZ4OcO8NNTCCGyCdY9SK.2GHiqGgxZfHFPOPmWuxEVWVQTtoDC7C" hash="bcrypt" title="Official Chat Helper"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # DCCALLOW module: Adds the /DCCALLOW command. @@ -1385,7 +1385,7 @@ #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Password hash module: Allows hashed passwords to be used. -# To be useful, a hashing module like sha256 also needs to be loaded. +# To be useful, a hashing module like bcrypt also needs to be loaded. #<module name="password_hash"> # #-#-#-#-#-#-#-#-#-# PASSWORD HASH CONFIGURATION #-#-#-#-#-#-#-#-#-#-#-# @@ -1395,12 +1395,14 @@ # # <oper name="Brain" # host="ident@dialup15.isp.test.com" -# hash="sha256" -# password="01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" +# hash="bcrypt" +# password="$2a$10$Mss9AtHHslZTLBrXqM0FB.JBwD.UTSu8A48SfrY9exrpxbsRiRTbO" # type="NetAdmin"> # -# Starting from 2.0, you can use a more secure salted hash that prevents simply -# looking up the hash's value in a rainbow table built for the hash. +# If you are using a hash algorithm which does not perform salting you can use +# HMAC to salt your passwords in order to prevent them from being looked up in +# a rainbow table. +# # hash="hmac-sha256" password="lkS1Nbtp$CyLd/WPQXizsbxFUTqFRoMvaC+zhOULEeZaQkUJj+Gg" # # Generate hashes using the /MKPASSWD command on the server. @@ -1939,7 +1941,7 @@ # # # See also: http://wiki.inspircd.org/Modules/sqloper # # # -#<sqloper dbid="1" hash="md5"> +#<sqloper dbid="1" hash="bcrypt"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # StartTLS module: Implements STARTTLS, which allows clients # @@ -2014,7 +2016,7 @@ # host - Vhost to set. # # #<vhost user="some_username" pass="some_password" host="some.host.test.cc"> -#<vhost user="foo" password="fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9" hash="sha256" host="some.other.host.example.com"> +#<vhost user="foo" password="$2a$10$iTuYLT6BRhRlOgzfsW9oPe62etW.oXwSpyKw5rJit64SGZanLXghO" hash="bcrypt" host="some.other.host.example.com"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Watch module: Adds the WATCH command, which is used by clients to diff --git a/docs/conf/opers.conf.example b/docs/conf/opers.conf.example index 3ede475f6..5e1ec28f5 100644 --- a/docs/conf/opers.conf.example +++ b/docs/conf/opers.conf.example @@ -141,13 +141,14 @@ # Remember: This is case sensitive. name="Adam" - # hash: What hash this password is hashed with. - # Requires the module for selected hash (md5, sha256 or ripemd160) - # be loaded and the password hashing module (password_hash) loaded. - # Options here are: "md5", "sha256" and "ripemd160", or one of - # these prefixed with "hmac-", e.g.: "hmac-sha256". + # hash: the hash function this password is hashed with. Requires the + # module for the selected function (bcrypt, md5, sha1, sha256, or + # ripemd160) and the password hashing module (password_hash) to be + # loaded. + # You may also use any of the above other than bcrypt prefixed with + # either "hmac-" or "pbkdf2-hmac-" (requires the pbkdf2 module). # Create hashed passwords with: /mkpasswd <hash> <password> - hash="hmac-sha256" + hash="bcrypt" # password: A hash of the password (see above option) hashed # with /mkpasswd <hash> <password>. See the password_hash module -- 2.39.5