Ignore:
Timestamp:
11/16/2022 04:15:27 PM (18 months ago)
Author:
Pierre Labastie <pierre.labastie@…>
Branches:
11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/llvm18, xry111/xf86-video-removal
Children:
ae27cdc
Parents:
42d51c6
git-author:
Pierre Labastie <pierre.labastie@…> (11/16/2022 03:39:23 PM)
git-committer:
Pierre Labastie <pierre.labastie@…> (11/16/2022 04:15:27 PM)
Message:

Shadow: increase the number of rounds for passwd

for the SHA512 crypt method, the default number of rounds (5000) is
too low to prevent brute force attacks on modern hardware. Multiply
it by 1000 (not sure it is enough).

File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/shadow.xml

    r42d51c6 r4635a45d  
    139139
    140140sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
     141    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\1000@'      \
    141142    -e 's@/var/spool/mail@/var/mail@'                 \
    142143    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
     
    188189    <para>
    189190      <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
    190       's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
    191       -i etc/login.defs</command>: Instead of using
    192       the default 'DES' method, this command modifies the installation to use
    193       the more secure 'SHA512' method of hashing passwords, which also allows
    194       passwords longer than eight characters. It also changes the obsolete
    195       <filename class="directory">/var/spool/mail</filename> location for user
    196       mailboxes that <application>Shadow</application> uses by default to the
    197       <filename class="directory">/var/mail</filename> location. It also
    198       changes the default path to be consistent with that set in LFS.
     191        's@#SHA_CRYPT_..._ROUNDS 5000@&amp;000@' -e
     192        's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
     193        -i etc/login.defs</command>: Instead of using the default 'DES'
     194      method, this command modifies the installation to use the more secure
     195      'SHA512' method of hashing passwords, which also allows passwords
     196      longer than eight characters. The number of rounds is also increased
     197      to prevent brute force pasword attacks. The command also changes the
     198      obsolete <filename class="directory">/var/spool/mail</filename> location
     199      for user mailboxes that <application>Shadow</application> uses by
     200      default to the <filename class="directory">/var/mail</filename>
     201      location. It also changes the default path to be consistent with that
     202      set in LFS.
    199203    </para>
    200204<!--
Note: See TracChangeset for help on using the changeset viewer.