1 files changed, 25 insertions, 11 deletions
diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml
index 93d1f3f7e..0f34d70ac 100644
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
 find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></screen>
 
     <para id="shadow-login_defs">Instead of using the default
-    <emphasis>crypt</emphasis> method, use the more secure
-    <emphasis>SHA-512</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. In addition, set the number of
-    rounds to 500,000 instead of the default 5000, which is much too low to
-    prevent brute force password attacks. It is also necessary to change
+    <emphasis>crypt</emphasis> method, use the much more secure
+    <emphasis>YESCRYPT</emphasis> method of password encryption, which also
+    allows passwords longer than 8 characters.
+    It is also necessary to change
     the obsolete <filename class="directory">/var/spool/mail</filename> location
     for user mailboxes that Shadow uses by default to the <filename
     class="directory">/var/mail</filename> location used currently. And,
@@ -81,10 +80,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
       built.</para>
     </note>
 
-<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
-    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
-    -e 's:/var/spool/mail:/var/mail:'                 \
-    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
+<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \
+    -e 's:/var/spool/mail:/var/mail:'                   \
+    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                  \
     -i etc/login.defs</userinput></screen>
 
     <note>
@@ -106,8 +104,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
     <para>Prepare Shadow for compilation:</para>
 
 <screen><userinput remap="configure">touch /usr/bin/passwd
-./configure --sysconfdir=/etc \
-            --disable-static  \
+./configure --sysconfdir=/etc   \
+            --disable-static    \
+            --with-{b,yes}crypt \
             --with-group-name-max-length=32</userinput></screen>
 
     <variablelist>
@@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
           create it in the wrong place.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><parameter>--with-{b,yes}crypt</parameter></term>
+        <listitem>
+          <para>The shell expands this to two switches,
+          <parameter>--with-bcrypt</parameter> and
+          <parameter>--with-yescrypt</parameter>.  They allow shadow to use
+          the Bcrypt and Yescrypt algorithms implemented by
+          <application>Libxcrypt</application> for hashing passwords.
+          These algorithms are more secure (in particular, much more
+          resistant to GPU-based attacks) than the traditional SHA
+          algorithms.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><parameter>--with-group-name-max-length=32</parameter></term>
         <listitem>