diff options
author | Pierre Labastie <pierre.labastie@neuf.fr> | 2022-11-25 09:30:45 +0100 |
---|---|---|
committer | Pierre Labastie <pierre.labastie@neuf.fr> | 2022-11-25 09:30:45 +0100 |
commit | aea16f699ed1fac8534d6599cc56de694ebf64c2 (patch) | |
tree | e98ed2e055adfb4c74719dcefac114db50e25748 /chapter08/shadow.xml | |
parent | 9a23a75c5dc3cee5a3f1b10bc61c1192ae4a17bb (diff) |
Sync shadow "rounds" parameter to blfs
Otherwise, As Xi has noticed, the password set for root at the end
of lfs may use the value 5000 for rounds, and not be changed, even
if later the number of rounds is increased.
Diffstat (limited to 'chapter08/shadow.xml')
-rw-r--r-- | chapter08/shadow.xml | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml index 83c8f6ec9..93d1f3f7e 100644 --- a/chapter08/shadow.xml +++ b/chapter08/shadow.xml @@ -62,7 +62,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s <para id="shadow-login_defs">Instead of using the default <emphasis>crypt</emphasis> method, use the more secure <emphasis>SHA-512</emphasis> method of password encryption, which also - allows passwords longer than 8 characters. It is also necessary to change + allows passwords longer than 8 characters. In addition, set the number of + rounds to 500,000 instead of the default 5000, which is much too low to + prevent brute force password attacks. It is also necessary to change the obsolete <filename class="directory">/var/spool/mail</filename> location for user mailboxes that Shadow uses by default to the <filename class="directory">/var/mail</filename> location used currently. And, @@ -80,6 +82,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s </note> <screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \ + -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \ -e 's:/var/spool/mail:/var/mail:' \ -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ -i etc/login.defs</userinput></screen> |