shadow/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml

<!--
   SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
   SPDX-License-Identifier: BSD-3-Clause
-->
<varlistentry condition="sha_crypt">
  <term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
  <term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
  <listitem>
    <para>
      When <option>ENCRYPT_METHOD</option> is set to
      <replaceable>SHA256</replaceable> or
      <replaceable>SHA512</replaceable>, this defines the number of SHA
      rounds used by the encryption algorithm by default (when the number
      of rounds is not specified on the command line).
    </para>
    <para>
      With a lot of rounds, it is more difficult to brute forcing the
      password. But note also that more CPU resources will be needed to
      authenticate users.
    </para>
    <para>
      If not specified, the libc will choose the default number of rounds
      (5000), which is orders of magnitude too low for modern hardware.
    </para>
    <para>
      The values must be inside the 1000-999,999,999 range.
    </para>
    <para>
      If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
      <option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this value
      will be used.
    </para>
    <para>
      If <option>SHA_CRYPT_MIN_ROUNDS</option> &gt;
      <option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will be
      used.
    </para>
    <para condition="pam">
      Note: This only affect the generation of group passwords.
      The generation of user passwords is done by PAM and subject to the
      PAM configuration. It is recommended to set this variable
      consistently with the PAM configuration.
    </para>
  </listitem>
</varlistentry>
* man/.xml, man/login.defs.d/.xml: Added copyright and licence header. 2008-10-11 17:14:43 +05:30			`<!--`
Update licensing info Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License \| grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-12-05 21:05:27 +05:30			`SPDX-FileCopyrightText: 2007 - 2008, Nicolas François`
			`SPDX-License-Identifier: BSD-3-Clause`
* man/.xml, man/login.defs.d/.xml: Added copyright and licence header. 2008-10-11 17:14:43 +05:30			`-->`
SHA_CRYPT_MAX_ROUNDS and SHA_CRYPT_MIN_ROUNDS can only exist if configured with --with-sha-crypt. 2008-05-20 02:29:51 +05:30			`<varlistentry condition="sha_crypt">`
Put each variable description in an external entities. This will permit to reference them in the various utils manpages. 2007-11-27 03:41:23 +05:30			`<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>`
			`<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>`
			`<listitem>`
			`<para>`
			`When <option>ENCRYPT_METHOD</option> is set to`
			`<replaceable>SHA256</replaceable> or`
			`<replaceable>SHA512</replaceable>, this defines the number of SHA`
			`rounds used by the encryption algorithm by default (when the number`
			`of rounds is not specified on the command line).`
			`</para>`
			`<para>`
			`With a lot of rounds, it is more difficult to brute forcing the`
			`password. But note also that more CPU resources will be needed to`
			`authenticate users.`
			`</para>`
			`<para>`
			`If not specified, the libc will choose the default number of rounds`
login.defs: warn about weak choices According to crypt(5), MD5 and DES should not be used for new hashes. Also the default number of SHA rounds chosen by libc is orders of magnitude too low for modern hardware. Let's warn the users about weak choices. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> 2020-04-10 16:39:55 +05:30			`(5000), which is orders of magnitude too low for modern hardware.`
Put each variable description in an external entities. This will permit to reference them in the various utils manpages. 2007-11-27 03:41:23 +05:30			`</para>`
			`<para>`
Fix typos in manpages Catalan translation updated 2011-06-01 17:28:04 +05:30			`The values must be inside the 1000-999,999,999 range.`
Put each variable description in an external entities. This will permit to reference them in the various utils manpages. 2007-11-27 03:41:23 +05:30			`</para>`
			`<para>`
			`If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or`
			`<option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this value`
			`will be used.`
			`</para>`
			`<para>`
			`If <option>SHA_CRYPT_MIN_ROUNDS</option> >`
			`<option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will be`
			`used.`
			`</para>`
* man/login.defs.d/ENCRYPT_METHOD.xml, man/login.defs.d/MD5_CRYPT_ENAB.xml, man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml: Updated note for PAM enabled versions. These variables are only used for group passwords in this case. 2009-05-09 18:46:10 +05:30			`<para condition="pam">`
			`Note: This only affect the generation of group passwords.`
			`The generation of user passwords is done by PAM and subject to the`
			`PAM configuration. It is recommended to set this variable`
			`consistently with the PAM configuration.`
			`</para>`
Put each variable description in an external entities. This will permit to reference them in the various utils manpages. 2007-11-27 03:41:23 +05:30			`</listitem>`
			`</varlistentry>`