ahill/shadow
1
0
Fork 0
mirror of https://github.com/shadow-maint/shadow.git synced 2026-01-26 14:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

man/: add BCRYPT and YESCRYPT information

Browse Source 
The BCRYPT and YESCRYPT relevant items should be described in
manual pages.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
Tobias Stoeckmann 2023-12-19 17:39:54 +01:00 committed by Serge Hallyn
parent f89ba6822d
commit 11091949be
12 changed files with 241 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
man/Makefile.am
View File

@ -125,6 +125,7 @@ man_XMANS += lastlog.8.xml
endif
login_defs_v = \
BCRYPT_MIN_ROUNDS.xml \
CHFN_AUTH.xml \
CHFN_RESTRICT.xml \
CHSH_AUTH.xml \
@ -191,7 +192,8 @@ login_defs_v = \
SUB_GID_COUNT.xml \
SUB_UID_COUNT.xml \
SYS_GID_MAX.xml \
SYS_UID_MAX.xml
SYS_UID_MAX.xml \
YESCRYPT_COST_FACTOR.xml
EXTRA_DIST = \
$(man_MANS) \

68
man/chgpasswd.8.xml
View File

@ -6,10 +6,12 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
@ -88,12 +90,16 @@
<term><option>-c</option>, <option>--crypt-method</option></term>
<listitem>
<para>Use the specified method to encrypt the passwords.</para>
<para condition="no_sha_crypt">
The available methods are DES, MD5, and NONE.
</para>
<para condition="sha_crypt">
The available methods are DES, MD5, NONE, and SHA256 or SHA512
if your libc support these methods.
<para>
The available methods are <phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable>,</phrase>
<replaceable>DES</replaceable>,
<replaceable>MD5</replaceable><phrase condition="sha_crypt">,
<replaceable>SHA256</replaceable>,
<replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
<replaceable>YESCRYPT</replaceable></phrase> and
<replaceable>NONE</replaceable>
if your libc supports these methods.
</para>
</listitem>
</varlistentry>
@ -131,29 +137,49 @@
</para>
</listitem>
</varlistentry>
<varlistentry condition="sha_crypt">
<varlistentry condition="bcrypt;sha_crypt;yescrypt">
<term><option>-s</option>, <option>--sha-rounds</option></term>
<listitem>
<para>
Use the specified number of rounds to encrypt the passwords.
</para>
<para>
The value 0 means that the system will choose the default
number of rounds for the crypt method (5000).
You can only use this option with crypt method:
<phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable></phrase>
<phrase condition="sha_crypt">
<replaceable>SHA256</replaceable>
<replaceable>SHA512</replaceable></phrase>
<phrase condition="yescrypt">
<replaceable>YESCRYPT</replaceable></phrase>
</para>
<para>
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced.
</para>
<para>
You can only use this option with the SHA256 or SHA512
crypt method.
</para>
<para>
By default, the number of rounds is defined by the
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<para condition="bcrypt">
By default, the number of rounds for BCRYPT is defined by the
BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="bcrypt">
A minimal value of 4 and a maximal value of 31
will be enforced for BCRYPT. The default number of rounds is 13.
</para>
<para condition="sha_crypt">
By default, the number of rounds for SHA256 or SHA512 is defined by
the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="sha_crypt">
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced for SHA256 and SHA512. The default number of rounds
is 5000.
</para>
<para condition="yescrypt">
By default, the number of rounds for YESCRYPT is defined by the
YESCRYPT_COST_FACTOR in <filename>/etc/login.defs</filename>.
</para>
<para condition="yescrypt">
A minimal value of 1 and a maximal value of 11
will be enforced for YESCRYPT. The default number of rounds is 5.
</para>
</listitem>
</varlistentry>
</variablelist>
@ -179,10 +205,12 @@
tool:
</para>
<variablelist>
&BCRYPT_MIN_ROUNDS; <!--This also document BCRYPT_MAX_ROUNDS-->
&ENCRYPT_METHOD;
&MAX_MEMBERS_PER_GROUP;
&MD5_CRYPT_ENAB;
&SHA_CRYPT_MIN_ROUNDS; <!--This also document SHA_CRYPT_MAX_ROUNDS-->
&YESCRYPT_COST_FACTOR;
</variablelist>
</refsect1>

69
man/chpasswd.8.xml
View File

@ -6,9 +6,11 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
@ -115,12 +117,16 @@
</term>
<listitem>
<para>Use the specified method to encrypt the passwords.</para>
<para condition="no_sha_crypt">
The available methods are DES, MD5, and NONE.
</para>
<para condition="sha_crypt">
The available methods are DES, MD5, NONE, and SHA256 or SHA512
if your libc support these methods.
<para>
The available methods are <phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable>,</phrase>
<replaceable>DES</replaceable>,
<replaceable>MD5</replaceable><phrase condition="sha_crypt">,
<replaceable>SHA256</replaceable>,
<replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
<replaceable>YESCRYPT</replaceable></phrase> and
<replaceable>NONE</replaceable>
if your libc supports these methods.
</para>
<para condition="pam">
By default, PAM is used to encrypt the passwords.
@ -188,7 +194,7 @@
</para>
</listitem>
</varlistentry>
<varlistentry condition="sha_crypt">
<varlistentry condition="bcrypt;sha_crypt;yescrypt">
<term>
<option>-s</option>, <option>--sha-rounds</option>&nbsp;<replaceable>ROUNDS</replaceable>
</term>
@ -197,23 +203,42 @@
Use the specified number of rounds to encrypt the passwords.
</para>
<para>
The value 0 means that the system will choose the default
number of rounds for the crypt method (5000).
You can only use this option with crypt method:
<phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable></phrase>
<phrase condition="sha_crypt">
<replaceable>SHA256</replaceable>
<replaceable>SHA512</replaceable></phrase>
<phrase condition="yescrypt">
<replaceable>YESCRYPT</replaceable></phrase>
</para>
<para>
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced.
</para>
<para>
You can only use this option with the SHA256 or SHA512
crypt method.
</para>
<para>
By default, the number of rounds is defined by the
<option>SHA_CRYPT_MIN_ROUNDS</option> and
<option>SHA_CRYPT_MAX_ROUNDS</option> variables in
<para condition="bcrypt">
By default, the number of rounds for BCRYPT is defined by the
BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="bcrypt">
A minimal value of 4 and a maximal value of 31
will be enforced for BCRYPT. The default number of rounds is 13.
</para>
<para condition="sha_crypt">
By default, the number of rounds for SHA256 or SHA512 is defined by
the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="sha_crypt">
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced for SHA256 and SHA512. The default number of rounds
is 5000.
</para>
<para condition="yescrypt">
By default, the number of rounds for YESCRYPT is defined by the
YESCRYPT_COST_FACTOR in <filename>/etc/login.defs</filename>.
</para>
<para condition="yescrypt">
A minimal value of 1 and a maximal value of 11
will be enforced for YESCRYPT. The default number of rounds is 5.
</para>
</listitem>
</varlistentry>
</variablelist>
@ -239,7 +264,9 @@
&MD5_CRYPT_ENAB;
</variablelist>
<variablelist>
&BCRYPT_MIN_ROUNDS; <!--documents also BCRYPT_MAX_ROUNDS-->
&SHA_CRYPT_MIN_ROUNDS; <!--documents also SHA_CRYPT_MAX_ROUNDS-->
&YESCRYPT_COST_FACTOR;
</variablelist>
</refsect1>

14
man/generate_mans.mak
View File

@ -25,6 +25,18 @@ else
SHA_CRYPT_COND=no_sha_crypt
endif
if USE_BCRYPT
BCRYPT_COND=bcrypt
else
BCRYPT_COND=no_bcrypt
endif
if USE_YESCRYPT
YESCRYPT_COND=yescrypt
else
YESCRYPT_COND=no_yescrypt
endif
if ENABLE_SUBIDS
SUBIDS_COND=subids
else
@ -50,7 +62,7 @@ if ENABLE_REGENERATE_MAN
fi
man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \
$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \
--param "man.authors.section.enabled" "0" \
--stringparam "man.output.base.dir" "" \
--stringparam vendordir "$(VENDORDIR)" \

2
man/gpasswd.1.xml
View File

@ -6,10 +6,12 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>

19
man/login.defs.5.xml
View File

@ -7,6 +7,7 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY CHFN_AUTH SYSTEM "login.defs.d/CHFN_AUTH.xml">
<!ENTITY CHFN_RESTRICT SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
<!ENTITY CHSH_AUTH SYSTEM "login.defs.d/CHSH_AUTH.xml">
@ -74,6 +75,7 @@
<!ENTITY USERDEL_CMD SYSTEM "login.defs.d/USERDEL_CMD.xml">
<!ENTITY USERGROUPS_ENAB SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
<!ENTITY USE_TCB SYSTEM "login.defs.d/USE_TCB.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
@ -145,6 +147,7 @@
<para>The following configuration items are provided:</para>
<variablelist remap='IP'>
&BCRYPT_MIN_ROUNDS; <!-- documents also BCRYPT_MAX_ROUNDS -->
&CHFN_AUTH;
&CHFN_RESTRICT;
&CHSH_AUTH;
@ -218,6 +221,7 @@
&USERDEL_CMD;
&USERGROUPS_ENAB;
&USE_TCB;
&YESCRYPT_COST_FACTOR;
</variablelist>
</refsect1>
@ -249,9 +253,12 @@
<term>chgpasswd</term>
<listitem>
<para>
<phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
BCRYPT_MIN_ROUNDS</phrase>
ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
</varlistentry>
@ -259,10 +266,13 @@
<term>chpasswd</term>
<listitem>
<para>
<phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
BCRYPT_MIN_ROUNDS</phrase>
<phrase condition="no_pam">ENCRYPT_METHOD
MD5_CRYPT_ENAB </phrase>
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
</varlistentry>
@ -280,9 +290,12 @@
<term>gpasswd</term>
<listitem>
<para>
<phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
BCRYPT_MIN_ROUNDS</phrase>
ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
</varlistentry>
@ -380,6 +393,8 @@
<term>newusers</term>
<listitem>
<para>
<phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
BCRYPT_MIN_ROUNDS</phrase>
ENCRYPT_METHOD
GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
@ -391,6 +406,7 @@
SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
UMASK
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
</varlistentry>
@ -399,10 +415,13 @@
<term>passwd</term>
<listitem>
<para>
<phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
BCRYPT_MIN_ROUNDS</phrase>
ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
<phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
</para>
</listitem>
</varlistentry>

40
man/login.defs.d/BCRYPT_MIN_ROUNDS.xml Normal file
View File

@ -0,0 +1,40 @@
<!--
SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<varlistentry condition="bcrypt">
<term><option>BCRYPT_MIN_ROUNDS</option> (number)</term>
<term><option>BCRYPT_MAX_ROUNDS</option> (number)</term>
<listitem>
<para>
When <option>ENCRYPT_METHOD</option> is set to
<replaceable>BCRYPT</replaceable>, this defines the number of
BCRYPT rounds used by the encryption algorithm by default (when the
number of rounds is not specified on the command line).
</para>
<para>
With a lot of rounds, it is more difficult to brute force the
password. But note also that more CPU resources will be needed to
authenticate users.
</para>
<para>
The values must be inside the 4-31 range.
</para>
<para>
If only one of the <option>BCRYPT_MIN_ROUNDS</option> or
<option>BCRYPT_MAX_ROUNDS</option> values is set, then this value
will be used.
</para>
<para>
If <option>BCRYPT_MIN_ROUNDS</option> &gt;
<option>BCRYPT_MAX_ROUNDS</option>, the highest value will be
used.
</para>
<para condition="pam">
Note: This only affect the generation of group passwords.
The generation of user passwords is done by PAM and subject to the
PAM configuration. It is recommended to set this variable
consistently with the PAM configuration.
</para>
</listitem>
</varlistentry>

6
man/login.defs.d/ENCRYPT_METHOD.xml
View File

@ -10,11 +10,13 @@
passwords (if no algorithm are specified on the command line).
</para>
<para>
It can take one of these values:
It can take one of these values: <phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable>,</phrase>
<replaceable>DES</replaceable> (default),
<replaceable>MD5</replaceable><phrase condition="sha_crypt">,
<replaceable>SHA256</replaceable>,
<replaceable>SHA512</replaceable></phrase>.
<replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
<replaceable>YESCRYPT</replaceable></phrase>.
MD5 and DES should not be used for new hashes, see
<refentrytitle>crypt</refentrytitle><manvolnum>5</manvolnum>
for recommendations.

2
man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml
View File

@ -14,7 +14,7 @@
of rounds is not specified on the command line).
</para>
<para>
With a lot of rounds, it is more difficult to brute forcing the
With a lot of rounds, it is more difficult to brute force the
password. But note also that more CPU resources will be needed to
authenticate users.
</para>

29
man/login.defs.d/YESCRYPT_COST_FACTOR.xml Normal file
View File

@ -0,0 +1,29 @@
<!--
SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<varlistentry condition="yescrypt">
<term><option>YESCRYPT_COST_FACTOR</option> (number)</term>
<listitem>
<para>
When <option>ENCRYPT_METHOD</option> is set to
<replaceable>YESCRYPT</replaceable>, this defines the cost factor
used by the encryption algorithm by default (when the cost factor
is not specified on the command line).
</para>
<para>
With a high cost factor, it is more difficult to brute force the
password. But note also that more CPU resources will be needed to
authenticate users.
</para>
<para>
The value must be inside the 1-11 range.
</para>
<para condition="pam">
Note: This only affect the generation of group passwords.
The generation of user passwords is done by PAM and subject to the
PAM configuration. It is recommended to set this variable
consistently with the PAM configuration.
</para>
</listitem>
</varlistentry>

43
man/newusers.8.xml
View File

@ -6,6 +6,7 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
@ -21,6 +22,7 @@
<!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml">
<!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml">
<!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
@ -316,29 +318,48 @@
</varlistentry>
</variablelist>
<variablelist remap='IP' condition="no_pam">
<varlistentry condition="sha_crypt">
<varlistentry condition="bcrypt;sha_crypt;yescrypt">
<term><option>-s</option>, <option>--sha-rounds</option></term>
<listitem>
<para>
Use the specified number of rounds to encrypt the passwords.
</para>
<para>
The value 0 means that the system will choose the default
number of rounds for the crypt method (5000).
You can only use this option with crypt method:
<phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable></phrase>
<phrase condition="sha_crypt">
<replaceable>SHA256</replaceable>
<replaceable>SHA512</replaceable></phrase>
<phrase condition="yescrypt">
<replaceable>YESCRYPT</replaceable></phrase>
</para>
<para>
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced.
<para condition="bcrypt">
By default, the number of rounds for BCRYPT is defined by the
BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para>
You can only use this option with the SHA256 or SHA512
crypt method.
<para condition="bcrypt">
A minimal value of 4 and a maximal value of 31
will be enforced for BCRYPT. The default is 13.
</para>
<para>
By default, the number of rounds is defined by the
<para condition="sha_crypt">
By default, the number of rounds for SHA256 or SHA512 is defined by the
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="sha_crypt">
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced for SHA256 and SHA512. The default is 5000.
</para>
<para condition="yescrypt">
By default, the number of rounds for YESCRYPT is defined by the
YESCRYPT_COST_FACTOR in <filename>/etc/login.defs</filename>.
</para>
<para condition="yescrypt">
A minimal value of 1 and a maximal value of 11
will be enforced for YESCRYPT. The default is 5.
</para>
</listitem>
</varlistentry>
</variablelist>

2
man/passwd.1.xml
View File

@ -6,6 +6,7 @@
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY OBSCURE_CHECKS_ENAB SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
@ -13,6 +14,7 @@
<!ENTITY PASS_CHANGE_TRIES SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
<!ENTITY PASS_MAX_LEN SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='passwd.1'>