[Pkg-shadow-commits] r1418 - in upstream/trunk: . etc man
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Tue Nov 20 12:59:20 UTC 2007
Author: nekral-guest
Date: 2007-11-20 12:59:20 +0000 (Tue, 20 Nov 2007)
New Revision: 1418
Modified:
upstream/trunk/ChangeLog
upstream/trunk/etc/login.defs
upstream/trunk/man/chgpasswd.8.xml
upstream/trunk/man/chpasswd.8.xml
upstream/trunk/man/login.defs.5.xml
Log:
* man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
encryption algorithm is chosen for the passwords. Document the new
-c and -s options. Add a reference to login.defs(5).
* man/login.defs.5.xml: Document the ENCRYPT_METHOD,
MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
variables.
* etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
Document the relationship with PAM for MD5_CRYPT_ENAB and
ENCRYPT_METHOD.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2007-11-20 12:18:36 UTC (rev 1417)
+++ upstream/trunk/ChangeLog 2007-11-20 12:59:20 UTC (rev 1418)
@@ -1,5 +1,17 @@
2007-11-20 Nicolas François <nicolas.francois at centraliens.net>
+ * man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
+ encryption algorithm is chosen for the passwords. Document the new
+ -c and -s options. Add a reference to login.defs(5).
+ * man/login.defs.5.xml: Document the ENCRYPT_METHOD,
+ MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
+ variables.
+ * etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
+ Document the relationship with PAM for MD5_CRYPT_ENAB and
+ ENCRYPT_METHOD.
+
+2007-11-20 Nicolas François <nicolas.francois at centraliens.net>
+
* src/passwd.c: Increase the size of crypt_passwd from 128 to 256
to avoid overflow in case of SHA512 (161 should be sufficient).
Modified: upstream/trunk/etc/login.defs
===================================================================
--- upstream/trunk/etc/login.defs 2007-11-20 12:18:36 UTC (rev 1417)
+++ upstream/trunk/etc/login.defs 2007-11-20 12:59:20 UTC (rev 1418)
@@ -276,6 +276,11 @@
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
#MD5_CRYPT_ENAB no
#
@@ -286,6 +291,9 @@
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
#ENCRYPT_METHOD DES
#
Modified: upstream/trunk/man/chgpasswd.8.xml
===================================================================
--- upstream/trunk/man/chgpasswd.8.xml 2007-11-20 12:18:36 UTC (rev 1417)
+++ upstream/trunk/man/chgpasswd.8.xml 2007-11-20 12:59:20 UTC (rev 1418)
@@ -36,6 +36,12 @@
encryption algorithm is DES.
</para>
<para>
+ The default encryption algorithm can be defined for the system with
+ the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+ and can be overwiten with the <option>-e</option>,
+ <option>-m</option>, or <option>-c</option> options.
+ </para>
+ <para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
</para>
@@ -49,6 +55,16 @@
</para>
<variablelist remap='IP'>
<varlistentry>
+ <term><option>-c</option>, <option>--crypt-method</option></term>
+ <listitem>
+ <para>Use the specified method to encrypt the passwords.</para>
+ <para>
+ The available methods are DES, MD5, and SHA256 or SHA512
+ if compiled with the ENCRYPTMETHOD_SELECT flag.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>-e</option>, <option>--encrypted</option></term>
<listitem>
<para>Supplied passwords are in encrypted form.</para>
@@ -69,6 +85,31 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-s</option>, <option>--sha-rounds</option></term>
+ <listitem>
+ <para>
+ Use the specified number of rounds to encrypt the passwords.
+ </para>
+ <para>
+ The value 0 means that the system will choose the default
+ number of rounds for the crypt method (5000).
+ </para>
+ <para>
+ A minimal value of 1000 and a maximal value of 999,999,999
+ will be enforced.
+ </para>
+ <para>
+ You can only use this option with the SHA256 or SHA512
+ crypt method.
+ </para>
+ <para>
+ By default, the number of rounds is defined by the
+ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+ <filename>/etc/login.defs</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -88,6 +129,9 @@
</citerefentry>,
<citerefentry>
<refentrytitle>groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
Modified: upstream/trunk/man/chpasswd.8.xml
===================================================================
--- upstream/trunk/man/chpasswd.8.xml 2007-11-20 12:18:36 UTC (rev 1417)
+++ upstream/trunk/man/chpasswd.8.xml 2007-11-20 12:59:20 UTC (rev 1418)
@@ -37,6 +37,12 @@
present.
</para>
<para>
+ The default encryption algorithm can be defined for the system with
+ the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+ and can be overwiten with the <option>-e</option>,
+ <option>-m</option>, or <option>-c</option> options.
+ </para>
+ <para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
</para>
@@ -50,6 +56,16 @@
</para>
<variablelist remap='IP'>
<varlistentry>
+ <term><option>-c</option>, <option>--crypt-method</option></term>
+ <listitem>
+ <para>Use the specified method to encrypt the passwords.</para>
+ <para>
+ The available methods are DES, MD5, and SHA256 or SHA512
+ if compiled with the ENCRYPTMETHOD_SELECT flag.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>-e</option>, <option>--encrypted</option></term>
<listitem>
<para>Supplied passwords are in encrypted form.</para>
@@ -70,6 +86,31 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-s</option>, <option>--sha-rounds</option></term>
+ <listitem>
+ <para>
+ Use the specified number of rounds to encrypt the passwords.
+ </para>
+ <para>
+ The value 0 means that the system will choose the default
+ number of rounds for the crypt method (5000).
+ </para>
+ <para>
+ A minimal value of 1000 and a maximal value of 999,999,999
+ will be enforced.
+ </para>
+ <para>
+ You can only use this option with the SHA256 or SHA512
+ crypt method.
+ </para>
+ <para>
+ By default, the number of rounds is defined by the
+ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+ <filename>/etc/login.defs</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -99,6 +140,9 @@
</citerefentry>,
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
Modified: upstream/trunk/man/login.defs.5.xml
===================================================================
--- upstream/trunk/man/login.defs.5.xml 2007-11-20 12:18:36 UTC (rev 1417)
+++ upstream/trunk/man/login.defs.5.xml 2007-11-20 12:59:20 UTC (rev 1418)
@@ -73,6 +73,34 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term>ENCRYPT_METHOD (string)</term>
+ <listitem>
+ <para>
+ If set to MD5, the MD5-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to SHA256, the SHA256-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to SHA512, the SHA512-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to DES, the DES-based algorithm will be used for
+ encrypting passwords. It is the default algorithm.
+ </para>
+ <para>
+ Note: this parameter overrides the MD5_CRYPT_ENAB option.
+ </para>
+ <para>
+ Note: if you use PAM, it is recommended to set this variable
+ consistently with the PAM modules configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>GID_MAX (number)</term>
<term>GID_MIN (number)</term>
<listitem>
@@ -94,6 +122,27 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term>MD5_CRYPT_ENAB (boolean)</term>
+ <listitem>
+ <para>
+ Indicate if passwords must be encrypted using the MD5-based
+ algorithm. If set to "yes", new passwords will be encrypted
+ using the MD5-based algorithm compatible with the one used by
+ recent releases of FreeBSD. It supports passwords of
+ unlimited length and longer salt strings. Set to "no" if you
+ need to copy encrypted passwords to other systems which don't
+ understand the new algorithm. Default is "no".
+ </para>
+ <para>
+ This variable is deprecated. You should use ENCRYPT_METHOD.
+ </para>
+ <para>
+ Note: if you use PAM, it is recommended to set this variable
+ consistently with the PAM modules configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>PASS_MAX_DAYS (number)</term>
<listitem>
<para>
@@ -135,6 +184,35 @@
</para>
<variablelist remap='IP'>
<varlistentry>
+ <term>SHA_CRYPT_MIN_ROUNDS (number)</term>
+ <term>SHA_CRYPT_MAX_ROUNDS (number)</term>
+ <listitem>
+ <para>
+ When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
+ the number of SHA rounds used by the encryption algorithm.
+ </para>
+ <para>
+ With a lot of rounds, it is more difficult to brute forcing
+ the password. But note also that more CPU resources will be
+ needed to authenticate users.
+ </para>
+ <para>
+ If not specified, the libc will choose the default number of rounds
+ (5000).
+ </para>
+ <para>
+ The values must be inside the 1000-999999999 range.
+ </para>
+ <para>
+ If only one of the MIN or MAX values is set, then this value will be
+ used.
+ </para>
+ <para>
+ If MIN > MAX, the highest value will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>UID_MAX (number)</term>
<term>UID_MIN (number)</term>
<listitem>
More information about the Pkg-shadow-commits
mailing list