Password secure encrpytion/hashing

[mareknejedly]

Hello,

I was trying to find the information about security of the passwords for OpnSense and OpenVPN but I was not successful.

Can you please let me know what is the password security for the mentioned two technologies? Does is use masked password, salting, stretching, etc? Where can I find this kind of technical documentation?

I was trying to look to the https://docs.opnsense.org/intro.html but I was not successful.

Thank you very much for your help.

Kind regards,

Marek

[ruffy91]

The most accurate technical documentation is the code:
function local_user_set_password(&$user, $password = null)
{
    $cost = 10;

    if ($password == null) {
        /* generate a random password */
        $bytes = openssl_random_pseudo_bytes(50);
        $password = pack('H*', bin2hex($bytes));
    }

    $hash = password_hash($password, PASSWORD_BCRYPT, [ 'cost' => $cost ]);
    if ($hash !== false) {
        $user['password'] = $hash;
    }
}

If i understand that right all loval users use bcrypt2 with 2^10 rounds and 50 bytes salt.

[franco]

There's no salt present, $password == null is for when you select "scramble password" so that you end up with a pseudo-locked account (that you could still use via SSH key). That's e.g. pretty good for the root account, but we're also able to disable password authentication entirely for root ("disable", but cannot fully lock the root account because background daemons like cron need it) if need be.


Cheers,
Franco

[Mks]

Hi.

There's no salt present

Usually bcrypt generates the salt randomly automatically, so I assume its the same in opnsense.

Edit: Found it myself
https://www.php.net/manual/en/password.constants.php

Br

[mareknejedly]

The most accurate technical documentation is the code:
function local_user_set_password(&$user, $password = null)
{
    $cost = 10;

    if ($password == null) {
        /* generate a random password */
        $bytes = openssl_random_pseudo_bytes(50);
        $password = pack('H*', bin2hex($bytes));
    }

    $hash = password_hash($password, PASSWORD_BCRYPT, [ 'cost' => $cost ]);
    if ($hash !== false) {
        $user['password'] = $hash;
    }
}

If i understand that right all loval users use bcrypt2 with 2^10 rounds and 50 bytes salt.

Hey, thank you very much.

Can you please ping me the link where is the source code documentation?

Thanks a lot!

[Mks]

Hi,

Can you please ping me the link where is the source code documentation?

https://github.com/opnsense/core/blob/ebcd30c97135d62d2c568185318fd4bbb812c9fe/src/etc/inc/auth.inc#L555

br

[ruffy91]

Yes sorry, the 50 bytes are when generating a random password.
The salt should be 128bit but I found no definitive source for this.

[fabian]

Yes sorry, the 50 bytes are when generating a random password.
The salt should be 128bit but I found no definitive source for this.

for security you need 80 bit currently, so the next good length is 128 (which is the block size of most encryption systems). So 128 is a good fit and there is still some safety space left.