diff options
author | Balint Reczey <balint@balintreczey.hu> | 2022-03-02 21:08:43 +0100 |
---|---|---|
committer | Balint Reczey <balint@balintreczey.hu> | 2022-03-03 17:59:43 +0100 |
commit | cfbad60da975da71b30ea041bc893ae79662508f (patch) | |
tree | 6ebabb519c69905d08fd5b46e6ed421f09107aba /debian | |
parent | f6500af0fb00845d79e342c670d075ebdac0dffe (diff) | |
download | shadow-cfbad60da975da71b30ea041bc893ae79662508f.tar.gz |
login.defs: Warn about weak cryptographic choices, like upstream
Diffstat (limited to 'debian')
-rw-r--r-- | debian/login.defs | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/debian/login.defs b/debian/login.defs index 3e03a961..ebf22430 100644 --- a/debian/login.defs +++ b/debian/login.defs @@ -279,11 +279,13 @@ USERGROUPS_ENAB yes #MD5_CRYPT_ENAB no # -# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # # Note: It is recommended to use a value consistent with @@ -292,20 +294,21 @@ USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 # -# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute forcing the password. -# But note also that it more CPU resources will be needed to authenticate -# users. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. # -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be inside the 1000-999999999 range. +# If not specified, the libc will choose the default number of rounds (5000), +# which is orders of magnitude too low for modern hardware. +# The values must be within the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # -# SHA_CRYPT_MIN_ROUNDS 5000 -# SHA_CRYPT_MAX_ROUNDS 5000 +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 # # Only works if ENCRYPT_METHOD is set to YESCRYPT. |