+2007-11-20 Nicolas François <nicolas.francois@centraliens.net>
+
+ * man/chpasswd.8.xml, man/chgpasswd.8.xml: Document how the
+ encryption algorithm is chosen for the passwords. Document the new
+ -c and -s options. Add a reference to login.defs(5).
+ * man/login.defs.5.xml: Document the ENCRYPT_METHOD,
+ MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS
+ variables.
+ * etc/login.defs: Indicate that MD5_CRYPT_ENAB is deprecated.
+ Document the relationship with PAM for MD5_CRYPT_ENAB and
+ ENCRYPT_METHOD.
+
2007-11-20 Nicolas François <nicolas.francois@centraliens.net>
* src/passwd.c: Increase the size of crypt_passwd from 128 to 256
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
#MD5_CRYPT_ENAB no
#
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
#ENCRYPT_METHOD DES
#
By default the supplied password must be in clear-text. Default
encryption algorithm is DES.
</para>
+ <para>
+ The default encryption algorithm can be defined for the system with
+ the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+ and can be overwiten with the <option>-e</option>,
+ <option>-m</option>, or <option>-c</option> options.
+ </para>
<para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
are:
</para>
<variablelist remap='IP'>
+ <varlistentry>
+ <term><option>-c</option>, <option>--crypt-method</option></term>
+ <listitem>
+ <para>Use the specified method to encrypt the passwords.</para>
+ <para>
+ The available methods are DES, MD5, and SHA256 or SHA512
+ if compiled with the ENCRYPTMETHOD_SELECT flag.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>-e</option>, <option>--encrypted</option></term>
<listitem>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-s</option>, <option>--sha-rounds</option></term>
+ <listitem>
+ <para>
+ Use the specified number of rounds to encrypt the passwords.
+ </para>
+ <para>
+ The value 0 means that the system will choose the default
+ number of rounds for the crypt method (5000).
+ </para>
+ <para>
+ A minimal value of 1000 and a maximal value of 999,999,999
+ will be enforced.
+ </para>
+ <para>
+ You can only use this option with the SHA256 or SHA512
+ crypt method.
+ </para>
+ <para>
+ By default, the number of rounds is defined by the
+ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+ <filename>/etc/login.defs</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
</citerefentry>,
<citerefentry>
<refentrytitle>groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
encryption algorithm is DES. Also the password age will be updated, if
present.
</para>
+ <para>
+ The default encryption algorithm can be defined for the system with
+ the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
+ and can be overwiten with the <option>-e</option>,
+ <option>-m</option>, or <option>-c</option> options.
+ </para>
<para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
are:
</para>
<variablelist remap='IP'>
+ <varlistentry>
+ <term><option>-c</option>, <option>--crypt-method</option></term>
+ <listitem>
+ <para>Use the specified method to encrypt the passwords.</para>
+ <para>
+ The available methods are DES, MD5, and SHA256 or SHA512
+ if compiled with the ENCRYPTMETHOD_SELECT flag.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>-e</option>, <option>--encrypted</option></term>
<listitem>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-s</option>, <option>--sha-rounds</option></term>
+ <listitem>
+ <para>
+ Use the specified number of rounds to encrypt the passwords.
+ </para>
+ <para>
+ The value 0 means that the system will choose the default
+ number of rounds for the crypt method (5000).
+ </para>
+ <para>
+ A minimal value of 1000 and a maximal value of 999,999,999
+ will be enforced.
+ </para>
+ <para>
+ You can only use this option with the SHA256 or SHA512
+ crypt method.
+ </para>
+ <para>
+ By default, the number of rounds is defined by the
+ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
+ <filename>/etc/login.defs</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
</citerefentry>,
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ENCRYPT_METHOD (string)</term>
+ <listitem>
+ <para>
+ If set to MD5, the MD5-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to SHA256, the SHA256-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to SHA512, the SHA512-based algorithm will be used for
+ encrypting passwords.
+ </para>
+ <para>
+ If set to DES, the DES-based algorithm will be used for
+ encrypting passwords. It is the default algorithm.
+ </para>
+ <para>
+ Note: this parameter overrides the MD5_CRYPT_ENAB option.
+ </para>
+ <para>
+ Note: if you use PAM, it is recommended to set this variable
+ consistently with the PAM modules configuration.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>GID_MAX (number)</term>
<term>GID_MIN (number)</term>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>MD5_CRYPT_ENAB (boolean)</term>
+ <listitem>
+ <para>
+ Indicate if passwords must be encrypted using the MD5-based
+ algorithm. If set to "yes", new passwords will be encrypted
+ using the MD5-based algorithm compatible with the one used by
+ recent releases of FreeBSD. It supports passwords of
+ unlimited length and longer salt strings. Set to "no" if you
+ need to copy encrypted passwords to other systems which don't
+ understand the new algorithm. Default is "no".
+ </para>
+ <para>
+ This variable is deprecated. You should use ENCRYPT_METHOD.
+ </para>
+ <para>
+ Note: if you use PAM, it is recommended to set this variable
+ consistently with the PAM modules configuration.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>PASS_MAX_DAYS (number)</term>
<listitem>
existing accounts.
</para>
<variablelist remap='IP'>
+ <varlistentry>
+ <term>SHA_CRYPT_MIN_ROUNDS (number)</term>
+ <term>SHA_CRYPT_MAX_ROUNDS (number)</term>
+ <listitem>
+ <para>
+ When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
+ the number of SHA rounds used by the encryption algorithm.
+ </para>
+ <para>
+ With a lot of rounds, it is more difficult to brute forcing
+ the password. But note also that more CPU resources will be
+ needed to authenticate users.
+ </para>
+ <para>
+ If not specified, the libc will choose the default number of rounds
+ (5000).
+ </para>
+ <para>
+ The values must be inside the 1000-999999999 range.
+ </para>
+ <para>
+ If only one of the MIN or MAX values is set, then this value will be
+ used.
+ </para>
+ <para>
+ If MIN > MAX, the highest value will be used.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>UID_MAX (number)</term>
<term>UID_MIN (number)</term>