* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the

encryption algorithm is chosen for the passwords. Document the new -c and -s options. Add a reference to login.defs(5). * man/login.defs.5.xml: Document the ENCRYPT_METHOD, MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS variables. * etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated. Document the relationship with PAM for MD5_CRYPT_ENAB and ENCRYPT_METHOD.
2007-11-20 12:59:20 +00:00 · 2007-11-20 12:59:20 +00:00 · 6e3ad7a275
commit 6e3ad7a275
parent 5cb462d767
5 changed files with 186 additions and 0 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
 2007-11-20  Nicolas François  <nicolas.francois@centraliens.net>
 	* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
 	encryption algorithm is chosen for the passwords. Document the new
 	-c and -s options. Add a reference to login.defs(5).
 	* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
 	MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
 	variables.
 	* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
 	Document the relationship with PAM for MD5_CRYPT_ENAB and
 	ENCRYPT_METHOD.
 2007-11-20  Nicolas François  <nicolas.francois@centraliens.net>
 	* src/passwd.c: Increase the size of crypt_passwd from 128 to 256
--- a/etc/login.defs
+++ b/etc/login.defs
@ -276,6 +276,11 @@ CHFN_RESTRICT		rwh
 # Set to "no" if you need to copy encrypted passwords to other systems
 # which don't understand the new algorithm.  Default is "no".
 #
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 # This variable is deprecated. You should use ENCRYPT_METHOD.
 #
 #MD5_CRYPT_ENAB	no
 #
@ -286,6 +291,9 @@ CHFN_RESTRICT		rwh
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 # Overrides the MD5_CRYPT_ENAB option
 #
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 #ENCRYPT_METHOD DES
 #
--- a/man/chgpasswd.8.xml
+++ b/man/chgpasswd.8.xml
@ -35,6 +35,12 @@
      By default the supplied password must be in clear-text. Default
      encryption algorithm is DES.
    </para>
    <para>
      The default encryption algorithm can be defined for the system with
      the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
      and can be overwiten with the <option>-e</option>,
      <option>-m</option>, or <option>-c</option> options.
    </para>
    <para>
      This command is intended to be used in a large system environment
      where many accounts are created at a single time.
@ -48,6 +54,16 @@
      are:
    </para>
    <variablelist remap='IP'>
      <varlistentry>
 	<term><option>-c</option>, <option>--crypt-method</option></term>
 	<listitem>
 	  <para>Use the specified method to encrypt the passwords.</para>
 	  <para>
 	    The available methods are DES, MD5, and SHA256 or SHA512
 	    if compiled with the ENCRYPTMETHOD_SELECT flag.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term><option>-e</option>, <option>--encrypted</option></term>
 	<listitem>
@ -69,6 +85,31 @@
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term><option>-s</option>, <option>--sha-rounds</option></term>
 	<listitem>
 	  <para>
 	    Use the specified number of rounds to encrypt the passwords.
 	  </para>
 	  <para>
 	    The value 0 means that the system will choose the default
 	    number of rounds for the crypt method (5000).
 	  </para>
 	  <para>
 	    A minimal value of 1000 and a maximal value of 999,999,999
 	    will be enforced.
 	  </para>
 	  <para>
 	    You can only use this option with the SHA256 or SHA512
 	    crypt method.
 	  </para>
 	  <para>
 	    By default, the number of rounds is defined by the
 	    SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
 	    <filename>/etc/login.defs</filename>.
 	  </para>
 	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@ -88,6 +129,9 @@
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>groupadd</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
--- a/man/chpasswd.8.xml
+++ b/man/chpasswd.8.xml
@ -36,6 +36,12 @@
      encryption algorithm is DES. Also the password age will be updated, if
      present.
    </para>
    <para>
      The default encryption algorithm can be defined for the system with
      the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
      and can be overwiten with the <option>-e</option>,
      <option>-m</option>, or <option>-c</option> options.
    </para>
    <para>
      This command is intended to be used in a large system environment
      where many accounts are created at a single time.
@ -49,6 +55,16 @@
      are:
    </para>
    <variablelist remap='IP'>
      <varlistentry>
 	<term><option>-c</option>, <option>--crypt-method</option></term>
 	<listitem>
 	  <para>Use the specified method to encrypt the passwords.</para>
 	  <para>
 	    The available methods are DES, MD5, and SHA256 or SHA512
 	    if compiled with the ENCRYPTMETHOD_SELECT flag.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term><option>-e</option>, <option>--encrypted</option></term>
 	<listitem>
@ -70,6 +86,31 @@
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term><option>-s</option>, <option>--sha-rounds</option></term>
 	<listitem>
 	  <para>
 	    Use the specified number of rounds to encrypt the passwords.
 	  </para>
 	  <para>
 	    The value 0 means that the system will choose the default
 	    number of rounds for the crypt method (5000).
 	  </para>
 	  <para>
 	    A minimal value of 1000 and a maximal value of 999,999,999
 	    will be enforced.
 	  </para>
 	  <para>
 	    You can only use this option with the SHA256 or SHA512
 	    crypt method.
 	  </para>
 	  <para>
 	    By default, the number of rounds is defined by the
 	    SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
 	    <filename>/etc/login.defs</filename>.
 	  </para>
 	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@ -99,6 +140,9 @@
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@ -72,6 +72,34 @@
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term>ENCRYPT_METHOD (string)</term>
 	<listitem>
 	  <para>
 	    If set to MD5, the MD5-based algorithm will be used for
 	    encrypting passwords.
 	  </para>
 	  <para>
 	    If set to SHA256, the SHA256-based algorithm will be used for
 	    encrypting passwords.
 	  </para>
 	  <para>
 	    If set to SHA512, the SHA512-based algorithm will be used for
 	    encrypting passwords.
 	  </para>
 	  <para>
 	    If set to DES, the DES-based algorithm will be used for
 	    encrypting passwords. It is the default algorithm.
 	  </para>
 	  <para>
 	    Note: this parameter overrides the MD5_CRYPT_ENAB option.
 	  </para>
 	  <para>
 	    Note: if you use PAM, it is recommended to set this variable
 	    consistently with the PAM modules configuration.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term>GID_MAX (number)</term>
 	<term>GID_MIN (number)</term>
@ -93,6 +121,27 @@
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term>MD5_CRYPT_ENAB (boolean)</term>
 	<listitem>
 	  <para>
 	    Indicate if passwords must be encrypted using the MD5-based
 	    algorithm. If set to "yes", new passwords will be encrypted
 	    using the MD5-based algorithm compatible with the one used by
 	    recent releases of FreeBSD. It supports passwords of
 	    unlimited length and longer salt strings. Set to "no" if you
 	    need to copy encrypted passwords to other systems which don't
 	    understand the new algorithm. Default is "no".
 	  </para>
 	  <para>
 	    This variable is deprecated. You should use ENCRYPT_METHOD.
 	  </para>
 	  <para>
 	    Note: if you use PAM, it is recommended to set this variable
 	    consistently with the PAM modules configuration.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term>PASS_MAX_DAYS (number)</term>
 	<listitem>
@ -134,6 +183,35 @@
      existing accounts.
    </para>
    <variablelist remap='IP'>
      <varlistentry>
 	<term>SHA_CRYPT_MIN_ROUNDS (number)</term>
 	<term>SHA_CRYPT_MAX_ROUNDS (number)</term>
 	<listitem>
 	  <para>
 	    When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
 	    the number of SHA rounds used by the encryption algorithm.
 	  </para>
 	  <para>
 	    With a lot of rounds, it is more difficult to brute forcing
 	    the password. But note also that more CPU resources will be
 	    needed to authenticate users.
 	  </para>
 	  <para>
 	    If not specified, the libc will choose the default number of rounds
 	    (5000).
 	  </para>
 	  <para>
 	    The values must be inside the 1000-999999999 range.
 	  </para>
 	  <para>
 	    If only one of the MIN or MAX values is set, then this value will be
 	    used.
 	  </para>
 	  <para>
 	    If MIN &gt; MAX, the highest value will be used.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
 	<term>UID_MAX (number)</term>
 	<term>UID_MIN (number)</term>