ahill/shadow
1
0
Fork 0
mirror of https://github.com/shadow-maint/shadow.git synced 2026-01-26 05:57:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

PASS_MAX_LEN.xml: Explain PASS_MAX_LEN use cases

Browse Source 
The `PASS_MAX_LEN` is effectively only used for DES. Do not describe it
in a way that makes it sound like `MD_CRYPT_ENAB=yes` is required to
disable it. Any other `ENCRYPT_METHOD` disables it as well.

Also, even for DES, `PASS_MAX_LEN` requires `OBSCURE_CHECKS_ENAB` to
have any effect.

Even more, `PASS_MIN_LEN` and `PASS_MAX_LEN` are only used for
user passwords. Group passwords are not checked.

Note: All of this is actually true even if compiled with PAM if command
line arguments change root. But if compiled with PAM support, this
section is not added to manual pages... Since this is true for some
more files, it's not part of this commit.

Link to source files:
- lib/obscure.c line 133 stops further checks, including max length,
  if OBSCURE_CHECS_ENAB is not yes
- lib/obscure.c line 172 is only reached in case of DES
- src/passwd.c line 248 duplicates the check for output
- src/gpasswd.c has no reference to obscure

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
Tobias Stoeckmann 2025-12-19 11:02:45 +00:00 committed by Alejandro Colomar
parent 734fe78a74
commit 7255cd93a6
1 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
man/login.defs.d/PASS_MAX_LEN.xml
View File

@ -10,10 +10,26 @@
<listitem>
<para>
Number of significant characters in the password for crypt().
<option>PASS_MAX_LEN</option> is 8 by default. Don't change unless
your crypt() is better. This is ignored if
<option>MD5_CRYPT_ENAB</option> set to
</para>
<para>
<option>PASS_MAX_LEN</option> is 8 by default.
Don't change unless your crypt() is better.
</para>
<para>
<option>PASS_MAX_LEN</option> is only used for DES.
It is ignored if an encryption algorithm other than DES is used,
either because <option>MD5_CRYPT_ENAB</option> set to
<replaceable>yes</replaceable> or <option>ENCRYPT_METHOD</option>
set to an algorithm other than <replaceable>DES</replaceable>.
</para>
<para>
In addition, <option>PASS_MAX_LEN</option> is only used if
<option>OBSCURE_CHECKS_ENAB</option> set to
<replaceable>yes</replaceable>.
</para>
<para>
Note: This only affects the generation of user passwords.
Group password lengths are not checked.
</para>
</listitem>
</varlistentry>