diff options
| author | Xi Ruoyao <xry111@xry111.site> | 2023-07-03 21:28:36 +0800 |
|---|---|---|
| committer | Xi Ruoyao <xry111@xry111.site> | 2023-07-03 21:28:36 +0800 |
| commit | c2325070afb64fd46a409f0445112df2dbfe9456 (patch) | |
| tree | b1c483e44548a494d511b19211dadc3c969b87da | |
| parent | f4313a75c82a222e804d3dd5284b37a510acbe6e (diff) | |
shadow: Allow using bcrypt and yescrypt, and use yescrypt as the default
Yescrypt is the current default password hashing algorithm of Fedora
and Debian. See [1] for its advantage.
Now we have libxcrypt providing the implementation of bcrypt and
yescrypt, we can switch to yescrypt as well. We also don't need to
adjust the rounds for SHA512 anymore.
[1]:https://www.fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description
| -rw-r--r-- | chapter08/shadow.xml | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml index 93d1f3f7e..0f34d70ac 100644 --- a/chapter08/shadow.xml +++ b/chapter08/shadow.xml @@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></screen> <para id="shadow-login_defs">Instead of using the default - <emphasis>crypt</emphasis> method, use the more secure - <emphasis>SHA-512</emphasis> method of password encryption, which also - allows passwords longer than 8 characters. In addition, set the number of - rounds to 500,000 instead of the default 5000, which is much too low to - prevent brute force password attacks. It is also necessary to change + <emphasis>crypt</emphasis> method, use the much more secure + <emphasis>YESCRYPT</emphasis> method of password encryption, which also + allows passwords longer than 8 characters. + It is also necessary to change the obsolete <filename class="directory">/var/spool/mail</filename> location for user mailboxes that Shadow uses by default to the <filename class="directory">/var/mail</filename> location used currently. And, @@ -81,10 +80,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s built.</para> </note> -<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \ - -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \ - -e 's:/var/spool/mail:/var/mail:' \ - -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ +<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \ + -e 's:/var/spool/mail:/var/mail:' \ + -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ -i etc/login.defs</userinput></screen> <note> @@ -106,8 +104,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s <para>Prepare Shadow for compilation:</para> <screen><userinput remap="configure">touch /usr/bin/passwd -./configure --sysconfdir=/etc \ - --disable-static \ +./configure --sysconfdir=/etc \ + --disable-static \ + --with-{b,yes}crypt \ --with-group-name-max-length=32</userinput></screen> <variablelist> @@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s create it in the wrong place.</para> </listitem> </varlistentry> + + <varlistentry> + <term><parameter>--with-{b,yes}crypt</parameter></term> + <listitem> + <para>The shell expands this to two switches, + <parameter>--with-bcrypt</parameter> and + <parameter>--with-yescrypt</parameter>. They allow shadow to use + the Bcrypt and Yescrypt algorithms implemented by + <application>Libxcrypt</application> for hashing passwords. + These algorithms are more secure (in particular, much more + resistant to GPU-based attacks) than the traditional SHA + algorithms.</para> + </listitem> + </varlistentry> + <varlistentry> <term><parameter>--with-group-name-max-length=32</parameter></term> <listitem> |