Shadow update

Olaf mailinglists at ban-solms.de
Sat Oct 11 00:38:29 PDT 2008


Robert Connolly wrote:
> On Thursday October 9 2008 06:21:37 pm Bruce Dubbs wrote:
>   
>> Should there be a mention of the possible use of SHA password encryption?
>>     
>
> Using MD5 or SHA can be kept simple by using all the default options for SHA, 
> and mentioning that there are more options in login.def. Many people probably 
> don't know SHA was added to Glibc.
>   
When you mention the possibility for SHA, maybe it is a good idea to 
also the option to increase the number of SHA rounds.

 From login.def:
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds 
(5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000

I do not have any numbers on the CPU resources needed when 
(dramatically) increasing SHA rounds.


DIY note for reference: 
http://www.diy-linux.org/pipermail/diy-linux-dev/2008-October/001309.html



Olaf




More information about the lfs-dev mailing list