ahill/shadow
1
0
Fork 0
mirror of https://github.com/shadow-maint/shadow.git synced 2026-01-26 14:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
shadow/man/login.defs.d/PASS_MAX_LEN.xml
Tobias Stoeckmann 7255cd93a6 PASS_MAX_LEN.xml: Explain PASS_MAX_LEN use cases 
The `PASS_MAX_LEN` is effectively only used for DES. Do not describe it
in a way that makes it sound like `MD_CRYPT_ENAB=yes` is required to
disable it. Any other `ENCRYPT_METHOD` disables it as well.

Also, even for DES, `PASS_MAX_LEN` requires `OBSCURE_CHECKS_ENAB` to
have any effect.

Even more, `PASS_MIN_LEN` and `PASS_MAX_LEN` are only used for
user passwords. Group passwords are not checked.

Note: All of this is actually true even if compiled with PAM if command
line arguments change root. But if compiled with PAM support, this
section is not added to manual pages... Since this is true for some
more files, it's not part of this commit.

Link to source files:
- lib/obscure.c line 133 stops further checks, including max length,
  if OBSCURE_CHECS_ENAB is not yes
- lib/obscure.c line 172 is only reached in case of DES
- src/passwd.c line 248 duplicates the check for output
- src/gpasswd.c has no reference to obscure

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2025-12-19 17:01:11 +01:00

36 lines
1.3 KiB
XML
Raw Blame History

<!--
SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh
SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal
SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<varlistentry condition="no_pam">
<term><option>PASS_MAX_LEN</option> (number)</term>
<term><option>PASS_MIN_LEN</option> (number)</term>
<listitem>
<para>
Number of significant characters in the password for crypt().
</para>
<para>
<option>PASS_MAX_LEN</option> is 8 by default.
Don't change unless your crypt() is better.
</para>
<para>
<option>PASS_MAX_LEN</option> is only used for DES.
It is ignored if an encryption algorithm other than DES is used,
either because <option>MD5_CRYPT_ENAB</option> set to
<replaceable>yes</replaceable> or <option>ENCRYPT_METHOD</option>
set to an algorithm other than <replaceable>DES</replaceable>.
</para>
<para>
In addition, <option>PASS_MAX_LEN</option> is only used if
<option>OBSCURE_CHECKS_ENAB</option> set to
<replaceable>yes</replaceable>.
</para>
<para>
Note: This only affects the generation of user passwords.
Group password lengths are not checked.
</para>
</listitem>
</varlistentry>
Reference in New Issue View Git Blame Copy Permalink