From c2325070afb64fd46a409f0445112df2dbfe9456 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Mon, 3 Jul 2023 21:28:36 +0800
Subject: shadow: Allow using bcrypt and yescrypt, and use yescrypt as the
 default

Yescrypt is the current default password hashing algorithm of Fedora
and Debian.  See [1] for its advantage.

Now we have libxcrypt providing the implementation of bcrypt and
yescrypt, we can switch to yescrypt as well.  We also don't need to
adjust the rounds for SHA512 anymore.

[1]:https://www.fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description
---
 chapter08/shadow.xml | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml
index 93d1f3f7e..0f34d70ac 100644
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
 find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></screen>
 
     <para id="shadow-login_defs">Instead of using the default
-    <emphasis>crypt</emphasis> method, use the more secure
-    <emphasis>SHA-512</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. In addition, set the number of
-    rounds to 500,000 instead of the default 5000, which is much too low to
-    prevent brute force password attacks. It is also necessary to change
+    <emphasis>crypt</emphasis> method, use the much more secure
+    <emphasis>YESCRYPT</emphasis> method of password encryption, which also
+    allows passwords longer than 8 characters.
+    It is also necessary to change
     the obsolete <filename class="directory">/var/spool/mail</filename> location
     for user mailboxes that Shadow uses by default to the <filename
     class="directory">/var/mail</filename> location used currently. And,
@@ -81,10 +80,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
       built.</para>
     </note>
 
-<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
-    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
-    -e 's:/var/spool/mail:/var/mail:'                 \
-    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
+<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \
+    -e 's:/var/spool/mail:/var/mail:'                   \
+    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                  \
     -i etc/login.defs</userinput></screen>
 
     <note>
@@ -106,8 +104,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
     <para>Prepare Shadow for compilation:</para>
 
 <screen><userinput remap="configure">touch /usr/bin/passwd
-./configure --sysconfdir=/etc \
-            --disable-static  \
+./configure --sysconfdir=/etc   \
+            --disable-static    \
+            --with-{b,yes}crypt \
             --with-group-name-max-length=32</userinput></screen>
 
     <variablelist>
@@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
           create it in the wrong place.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><parameter>--with-{b,yes}crypt</parameter></term>
+        <listitem>
+          <para>The shell expands this to two switches,
+          <parameter>--with-bcrypt</parameter> and
+          <parameter>--with-yescrypt</parameter>.  They allow shadow to use
+          the Bcrypt and Yescrypt algorithms implemented by
+          <application>Libxcrypt</application> for hashing passwords.
+          These algorithms are more secure (in particular, much more
+          resistant to GPU-based attacks) than the traditional SHA
+          algorithms.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><parameter>--with-group-name-max-length=32</parameter></term>
         <listitem>
-- 
cgit v1.2.3-54-g00ecf