* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the

encryption algorithm is chosen for the passwords. Document the new -c and -s options. Add a reference to login.defs(5). * man/login.defs.5.xml: Document the ENCRYPT_METHOD, MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS variables. * etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated. Document the relationship with PAM for MD5_CRYPT_ENAB and ENCRYPT_METHOD.
2007-11-20 12:59:20 +00:00 · 2007-11-20 12:59:20 +00:00 · 6e3ad7a275
commit 6e3ad7a275
parent 5cb462d767
5 changed files with 186 additions and 0 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2007-11-20  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
+	encryption algorithm is chosen for the passwords. Document the new
+	-c and -s options. Add a reference to login.defs(5).
+	* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
+	MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
+	variables.
+	* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
+	Document the relationship with PAM for MD5_CRYPT_ENAB and
+	ENCRYPT_METHOD.
+
 2007-11-20  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/passwd.c: Increase the size of crypt_passwd from 128 to 256
--- a/etc/login.defs
+++ b/etc/login.defs
@ -276,6 +276,11 @@ CHFN_RESTRICT		rwh
 # Set to "no" if you need to copy encrypted passwords to other systems
 # which don't understand the new algorithm.  Default is "no".
 #
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
 #MD5_CRYPT_ENAB	no

 #
@ -286,6 +291,9 @@ CHFN_RESTRICT		rwh
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 # Overrides the MD5_CRYPT_ENAB option
 #
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
 #ENCRYPT_METHOD DES

 #
--- a/man/chgpasswd.8.xml
+++ b/man/chgpasswd.8.xml
@ -35,6 +35,12 @@
      By default the supplied password must be in clear-text. Default
      encryption algorithm is DES.
    </para>
+    <para>
+      The default encryption algorithm can be defined for the system with
+      the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+      and can be overwiten with the <option>-e</option>,
+      <option>-m</option>, or <option>-c</option> options.
+    </para>
    <para>
      This command is intended to be used in a large system environment
      where many accounts are created at a single time.
@ -48,6 +54,16 @@
      are:
    </para>
    <variablelist remap='IP'>
+      <varlistentry>
+	<term><option>-c</option>, <option>--crypt-method</option></term>
+	<listitem>
+	  <para>Use the specified method to encrypt the passwords.</para>
+	  <para>
+	    The available methods are DES, MD5, and SHA256 or SHA512
+	    if compiled with the ENCRYPTMETHOD_SELECT flag.
+	  </para>
+	</listitem>
+      </varlistentry>
      <varlistentry>
 	<term><option>-e</option>, <option>--encrypted</option></term>
 	<listitem>
@ -69,6 +85,31 @@
 	  </para>
 	</listitem>
      </varlistentry>
+      <varlistentry>
+	<term><option>-s</option>, <option>--sha-rounds</option></term>
+	<listitem>
+	  <para>
+	    Use the specified number of rounds to encrypt the passwords.
+	  </para>
+	  <para>
+	    The value 0 means that the system will choose the default
+	    number of rounds for the crypt method (5000).
+	  </para>
+	  <para>
+	    A minimal value of 1000 and a maximal value of 999,999,999
+	    will be enforced.
+	  </para>
+	  <para>
+	    You can only use this option with the SHA256 or SHA512
+	    crypt method.
+	  </para>
+	  <para>
+	    By default, the number of rounds is defined by the
+	    SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+	    <filename>/etc/login.defs</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@ -88,6 +129,9 @@
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>groupadd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
--- a/man/chpasswd.8.xml
+++ b/man/chpasswd.8.xml
@ -36,6 +36,12 @@
      encryption algorithm is DES. Also the password age will be updated, if
      present.
    </para>
+    <para>
+      The default encryption algorithm can be defined for the system with
+      the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+      and can be overwiten with the <option>-e</option>,
+      <option>-m</option>, or <option>-c</option> options.
+    </para>
    <para>
      This command is intended to be used in a large system environment
      where many accounts are created at a single time.
@ -49,6 +55,16 @@
      are:
    </para>
    <variablelist remap='IP'>
+      <varlistentry>
+	<term><option>-c</option>, <option>--crypt-method</option></term>
+	<listitem>
+	  <para>Use the specified method to encrypt the passwords.</para>
+	  <para>
+	    The available methods are DES, MD5, and SHA256 or SHA512
+	    if compiled with the ENCRYPTMETHOD_SELECT flag.
+	  </para>
+	</listitem>
+      </varlistentry>
      <varlistentry>
 	<term><option>-e</option>, <option>--encrypted</option></term>
 	<listitem>
@ -70,6 +86,31 @@
 	  </para>
 	</listitem>
      </varlistentry>
+      <varlistentry>
+	<term><option>-s</option>, <option>--sha-rounds</option></term>
+	<listitem>
+	  <para>
+	    Use the specified number of rounds to encrypt the passwords.
+	  </para>
+	  <para>
+	    The value 0 means that the system will choose the default
+	    number of rounds for the crypt method (5000).
+	  </para>
+	  <para>
+	    A minimal value of 1000 and a maximal value of 999,999,999
+	    will be enforced.
+	  </para>
+	  <para>
+	    You can only use this option with the SHA256 or SHA512
+	    crypt method.
+	  </para>
+	  <para>
+	    By default, the number of rounds is defined by the
+	    SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+	    <filename>/etc/login.defs</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@ -99,6 +140,9 @@
      </citerefentry>,
      <citerefentry>
 	<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>.
    </para>
  </refsect1>
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@ -72,6 +72,34 @@
 	  </para>
 	</listitem>
      </varlistentry>
+      <varlistentry>
+	<term>ENCRYPT_METHOD (string)</term>
+	<listitem>
+	  <para>
+	    If set to MD5, the MD5-based algorithm will be used for
+	    encrypting passwords.
+	  </para>
+	  <para>
+	    If set to SHA256, the SHA256-based algorithm will be used for
+	    encrypting passwords.
+	  </para>
+	  <para>
+	    If set to SHA512, the SHA512-based algorithm will be used for
+	    encrypting passwords.
+	  </para>
+	  <para>
+	    If set to DES, the DES-based algorithm will be used for
+	    encrypting passwords. It is the default algorithm.
+	  </para>
+	  <para>
+	    Note: this parameter overrides the MD5_CRYPT_ENAB option.
+	  </para>
+	  <para>
+	    Note: if you use PAM, it is recommended to set this variable
+	    consistently with the PAM modules configuration.
+	  </para>
+	</listitem>
+      </varlistentry>
      <varlistentry>
 	<term>GID_MAX (number)</term>
 	<term>GID_MIN (number)</term>
@ -93,6 +121,27 @@
 	  </para>
 	</listitem>
      </varlistentry>
+      <varlistentry>
+	<term>MD5_CRYPT_ENAB (boolean)</term>
+	<listitem>
+	  <para>
+	    Indicate if passwords must be encrypted using the MD5-based
+	    algorithm. If set to "yes", new passwords will be encrypted
+	    using the MD5-based algorithm compatible with the one used by
+	    recent releases of FreeBSD. It supports passwords of
+	    unlimited length and longer salt strings. Set to "no" if you
+	    need to copy encrypted passwords to other systems which don't
+	    understand the new algorithm. Default is "no".
+	  </para>
+	  <para>
+	    This variable is deprecated. You should use ENCRYPT_METHOD.
+	  </para>
+	  <para>
+	    Note: if you use PAM, it is recommended to set this variable
+	    consistently with the PAM modules configuration.
+	  </para>
+	</listitem>
+      </varlistentry>
      <varlistentry>
 	<term>PASS_MAX_DAYS (number)</term>
 	<listitem>
@ -134,6 +183,35 @@
      existing accounts.
    </para>
    <variablelist remap='IP'>
+      <varlistentry>
+	<term>SHA_CRYPT_MIN_ROUNDS (number)</term>
+	<term>SHA_CRYPT_MAX_ROUNDS (number)</term>
+	<listitem>
+	  <para>
+	    When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
+	    the number of SHA rounds used by the encryption algorithm.
+	  </para>
+	  <para>
+	    With a lot of rounds, it is more difficult to brute forcing
+	    the password. But note also that more CPU resources will be
+	    needed to authenticate users.
+	  </para>
+	  <para>
+	    If not specified, the libc will choose the default number of rounds
+	    (5000).
+	  </para>
+	  <para>
+	    The values must be inside the 1000-999999999 range.
+	  </para>
+	  <para>
+	    If only one of the MIN or MAX values is set, then this value will be
+	    used.
+	  </para>
+	  <para>
+	    If MIN &gt; MAX, the highest value will be used.
+	  </para>
+	</listitem>
+      </varlistentry>
      <varlistentry>
 	<term>UID_MAX (number)</term>
 	<term>UID_MIN (number)</term>