aboutsummaryrefslogtreecommitdiffstats
path: root/chapter08/shadow.xml
diff options
context:
space:
mode:
Diffstat (limited to 'chapter08/shadow.xml')
-rw-r--r--chapter08/shadow.xml7
1 files changed, 5 insertions, 2 deletions
diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml
index c12826f9f..93d1f3f7e 100644
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@@ -62,7 +62,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s
<para id="shadow-login_defs">Instead of using the default
<emphasis>crypt</emphasis> method, use the more secure
<emphasis>SHA-512</emphasis> method of password encryption, which also
- allows passwords longer than 8 characters. It is also necessary to change
+ allows passwords longer than 8 characters. In addition, set the number of
+ rounds to 500,000 instead of the default 5000, which is much too low to
+ prevent brute force password attacks. It is also necessary to change
the obsolete <filename class="directory">/var/spool/mail</filename> location
for user mailboxes that Shadow uses by default to the <filename
class="directory">/var/mail</filename> location used currently. And,
@@ -80,6 +82,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s
</note>
<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
+ -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \
-e 's:/var/spool/mail:/var/mail:' \
-e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
-i etc/login.defs</userinput></screen>
@@ -203,7 +206,7 @@ useradd -D --gid 999</userinput></screen>
next available number. Note also that if you don't have a group with
an ID equal to this number on your system, then the first time you use
<command>useradd</command> without the <parameter>-g</parameter>
- parameter, an error message will be generated &mdash; <computeroutput>useradd:
+ parameter, an error message will be generated&mdash;<computeroutput>useradd:
unknown GID 999</computeroutput>,
even though the account has been created correctly. That is why we
created the group <systemitem class="groupname">users</systemitem>