diff options
Diffstat (limited to 'man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml')
-rw-r--r-- | man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml new file mode 100644 index 0000000..43972d7 --- /dev/null +++ b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml @@ -0,0 +1,45 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="sha_crypt"> + <term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term> + <term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term> + <listitem> + <para> + When <option>ENCRYPT_METHOD</option> is set to + <replaceable>SHA256</replaceable> or + <replaceable>SHA512</replaceable>, this defines the number of SHA + rounds used by the encryption algorithm by default (when the number + of rounds is not specified on the command line). + </para> + <para> + With a lot of rounds, it is more difficult to brute forcing the + password. But note also that more CPU resources will be needed to + authenticate users. + </para> + <para> + If not specified, the libc will choose the default number of rounds + (5000), which is orders of magnitude too low for modern hardware. + </para> + <para> + The values must be inside the 1000-999,999,999 range. + </para> + <para> + If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or + <option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this value + will be used. + </para> + <para> + If <option>SHA_CRYPT_MIN_ROUNDS</option> > + <option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will be + used. + </para> + <para condition="pam"> + Note: This only affect the generation of group passwords. + The generation of user passwords is done by PAM and subject to the + PAM configuration. It is recommended to set this variable + consistently with the PAM configuration. + </para> + </listitem> +</varlistentry> |