diff --git a/ChangeLog b/ChangeLog index e7ed71c9..49b432ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2007-11-20 Nicolas François + + * man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the + encryption algorithm is chosen for the passwords. Document the new + -c and -s options. Add a reference to login.defs(5). + * man/login.defs.5.xml: Document the ENCRYPT_METHOD, + MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS + variables. + * etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated. + Document the relationship with PAM for MD5_CRYPT_ENAB and + ENCRYPT_METHOD. + 2007-11-20 Nicolas François * src/passwd.c: Increase the size of crypt_passwd from 128 to 256 diff --git a/etc/login.defs b/etc/login.defs index dae98f25..e518d5db 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -276,6 +276,11 @@ CHFN_RESTRICT rwh # Set to "no" if you need to copy encrypted passwords to other systems # which don't understand the new algorithm. Default is "no". # +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# #MD5_CRYPT_ENAB no # @@ -286,6 +291,9 @@ CHFN_RESTRICT rwh # If set to DES, DES-based algorithm will be used for encrypting password (default) # Overrides the MD5_CRYPT_ENAB option # +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# #ENCRYPT_METHOD DES # diff --git a/man/chgpasswd.8.xml b/man/chgpasswd.8.xml index 07f6def4..4ac3f6ef 100644 --- a/man/chgpasswd.8.xml +++ b/man/chgpasswd.8.xml @@ -35,6 +35,12 @@ By default the supplied password must be in clear-text. Default encryption algorithm is DES. + + The default encryption algorithm can be defined for the system with + the ENCRYPT_METHOD variable of /etc/login.defs, + and can be overwiten with the , + , or options. + This command is intended to be used in a large system environment where many accounts are created at a single time. @@ -48,6 +54,16 @@ are: + + , + + Use the specified method to encrypt the passwords. + + The available methods are DES, MD5, and SHA256 or SHA512 + if compiled with the ENCRYPTMETHOD_SELECT flag. + + + , @@ -69,6 +85,31 @@ + + , + + + Use the specified number of rounds to encrypt the passwords. + + + The value 0 means that the system will choose the default + number of rounds for the crypt method (5000). + + + A minimal value of 1000 and a maximal value of 999,999,999 + will be enforced. + + + You can only use this option with the SHA256 or SHA512 + crypt method. + + + By default, the number of rounds is defined by the + SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in + /etc/login.defs. + + + @@ -88,6 +129,9 @@ , groupadd8 + , + + login.defs5 . diff --git a/man/chpasswd.8.xml b/man/chpasswd.8.xml index f3eafb7e..cd191c75 100644 --- a/man/chpasswd.8.xml +++ b/man/chpasswd.8.xml @@ -36,6 +36,12 @@ encryption algorithm is DES. Also the password age will be updated, if present. + + The default encryption algorithm can be defined for the system with + the ENCRYPT_METHOD variable of /etc/login.defs, + and can be overwiten with the , + , or options. + This command is intended to be used in a large system environment where many accounts are created at a single time. @@ -49,6 +55,16 @@ are: + + , + + Use the specified method to encrypt the passwords. + + The available methods are DES, MD5, and SHA256 or SHA512 + if compiled with the ENCRYPTMETHOD_SELECT flag. + + + , @@ -70,6 +86,31 @@ + + , + + + Use the specified number of rounds to encrypt the passwords. + + + The value 0 means that the system will choose the default + number of rounds for the crypt method (5000). + + + A minimal value of 1000 and a maximal value of 999,999,999 + will be enforced. + + + You can only use this option with the SHA256 or SHA512 + crypt method. + + + By default, the number of rounds is defined by the + SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in + /etc/login.defs. + + + @@ -99,6 +140,9 @@ , useradd8 + , + + login.defs5 . diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml index 52f4d44e..9631b99f 100644 --- a/man/login.defs.5.xml +++ b/man/login.defs.5.xml @@ -72,6 +72,34 @@ + + ENCRYPT_METHOD (string) + + + If set to MD5, the MD5-based algorithm will be used for + encrypting passwords. + + + If set to SHA256, the SHA256-based algorithm will be used for + encrypting passwords. + + + If set to SHA512, the SHA512-based algorithm will be used for + encrypting passwords. + + + If set to DES, the DES-based algorithm will be used for + encrypting passwords. It is the default algorithm. + + + Note: this parameter overrides the MD5_CRYPT_ENAB option. + + + Note: if you use PAM, it is recommended to set this variable + consistently with the PAM modules configuration. + + + GID_MAX (number) GID_MIN (number) @@ -93,6 +121,27 @@ + + MD5_CRYPT_ENAB (boolean) + + + Indicate if passwords must be encrypted using the MD5-based + algorithm. If set to "yes", new passwords will be encrypted + using the MD5-based algorithm compatible with the one used by + recent releases of FreeBSD. It supports passwords of + unlimited length and longer salt strings. Set to "no" if you + need to copy encrypted passwords to other systems which don't + understand the new algorithm. Default is "no". + + + This variable is deprecated. You should use ENCRYPT_METHOD. + + + Note: if you use PAM, it is recommended to set this variable + consistently with the PAM modules configuration. + + + PASS_MAX_DAYS (number) @@ -134,6 +183,35 @@ existing accounts. + + SHA_CRYPT_MIN_ROUNDS (number) + SHA_CRYPT_MAX_ROUNDS (number) + + + When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines + the number of SHA rounds used by the encryption algorithm. + + + With a lot of rounds, it is more difficult to brute forcing + the password. But note also that more CPU resources will be + needed to authenticate users. + + + If not specified, the libc will choose the default number of rounds + (5000). + + + The values must be inside the 1000-999999999 range. + + + If only one of the MIN or MAX values is set, then this value will be + used. + + + If MIN > MAX, the highest value will be used. + + + UID_MAX (number) UID_MIN (number)