Changeset c232507 for chapter08/shadow.xml
- Timestamp:
- 07/03/2023 01:28:36 PM (12 months ago)
- Branches:
- 12.0, 12.0-rc1, 12.1, 12.1-rc1, multilib, renodr/libudev-from-systemd, trunk, xry111/arm64, xry111/arm64-12.0, xry111/clfs-ng, xry111/loongarch, xry111/loongarch-12.0, xry111/loongarch-12.1, xry111/mips64el, xry111/update-glibc
- Children:
- 337b9c8
- Parents:
- f4313a7
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
chapter08/shadow.xml
rf4313a7 rc232507 61 61 62 62 <para id="shadow-login_defs">Instead of using the default 63 <emphasis>crypt</emphasis> method, use the more secure 64 <emphasis>SHA-512</emphasis> method of password encryption, which also 65 allows passwords longer than 8 characters. In addition, set the number of 66 rounds to 500,000 instead of the default 5000, which is much too low to 67 prevent brute force password attacks. It is also necessary to change 63 <emphasis>crypt</emphasis> method, use the much more secure 64 <emphasis>YESCRYPT</emphasis> method of password encryption, which also 65 allows passwords longer than 8 characters. 66 It is also necessary to change 68 67 the obsolete <filename class="directory">/var/spool/mail</filename> location 69 68 for user mailboxes that Shadow uses by default to the <filename … … 82 81 </note> 83 82 84 <screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \ 85 -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \ 86 -e 's:/var/spool/mail:/var/mail:' \ 87 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ 83 <screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \ 84 -e 's:/var/spool/mail:/var/mail:' \ 85 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ 88 86 -i etc/login.defs</userinput></screen> 89 87 … … 107 105 108 106 <screen><userinput remap="configure">touch /usr/bin/passwd 109 ./configure --sysconfdir=/etc \ 110 --disable-static \ 107 ./configure --sysconfdir=/etc \ 108 --disable-static \ 109 --with-{b,yes}crypt \ 111 110 --with-group-name-max-length=32</userinput></screen> 112 111 … … 123 122 </listitem> 124 123 </varlistentry> 124 125 <varlistentry> 126 <term><parameter>--with-{b,yes}crypt</parameter></term> 127 <listitem> 128 <para>The shell expands this to two switches, 129 <parameter>--with-bcrypt</parameter> and 130 <parameter>--with-yescrypt</parameter>. They allow shadow to use 131 the Bcrypt and Yescrypt algorithms implemented by 132 <application>Libxcrypt</application> for hashing passwords. 133 These algorithms are more secure (in particular, much more 134 resistant to GPU-based attacks) than the traditional SHA 135 algorithms.</para> 136 </listitem> 137 </varlistentry> 138 125 139 <varlistentry> 126 140 <term><parameter>--with-group-name-max-length=32</parameter></term>
Note:
See TracChangeset
for help on using the changeset viewer.