From f4313a75c82a222e804d3dd5284b37a510acbe6e Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Mon, 3 Jul 2023 19:36:58 +0800 Subject: [PATCH 1/5] libxcrypt: Fix a typo --- chapter08/libxcrypt.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapter08/libxcrypt.xml b/chapter08/libxcrypt.xml index c65d7db29..3fb59941d 100644 --- a/chapter08/libxcrypt.xml +++ b/chapter08/libxcrypt.xml @@ -99,7 +99,7 @@ no package installed by compiling from sources would link against them at runtime. However, the only known binary-only applications that link against these functions require ABI version 1. If you must - have such libraries because of some binary-only application or to be + have such functions because of some binary-only application or to be to be compliant with LSB, build the package again with the following commands: From c2325070afb64fd46a409f0445112df2dbfe9456 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Mon, 3 Jul 2023 21:28:36 +0800 Subject: [PATCH 2/5] shadow: Allow using bcrypt and yescrypt, and use yescrypt as the default Yescrypt is the current default password hashing algorithm of Fedora and Debian. See [1] for its advantage. Now we have libxcrypt providing the implementation of bcrypt and yescrypt, we can switch to yescrypt as well. We also don't need to adjust the rounds for SHA512 anymore. [1]:https://www.fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description --- chapter08/shadow.xml | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml index 93d1f3f7e..0f34d70ac 100644 --- a/chapter08/shadow.xml +++ b/chapter08/shadow.xml @@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; Instead of using the default - crypt method, use the more secure - SHA-512 method of password encryption, which also - allows passwords longer than 8 characters. In addition, set the number of - rounds to 500,000 instead of the default 5000, which is much too low to - prevent brute force password attacks. It is also necessary to change + crypt method, use the much more secure + YESCRYPT method of password encryption, which also + allows passwords longer than 8 characters. + It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. And, @@ -81,10 +80,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; -sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \ - -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \ - -e 's:/var/spool/mail:/var/mail:' \ - -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ +sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \ + -e 's:/var/spool/mail:/var/mail:' \ + -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ -i etc/login.defs @@ -106,8 +104,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;Prepare Shadow for compilation: touch /usr/bin/passwd -./configure --sysconfdir=/etc \ - --disable-static \ +./configure --sysconfdir=/etc \ + --disable-static \ + --with-{b,yes}crypt \ --with-group-name-max-length=32 @@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; + + + --with-{b,yes}crypt + + The shell expands this to two switches, + --with-bcrypt and + --with-yescrypt. They allow shadow to use + the Bcrypt and Yescrypt algorithms implemented by + Libxcrypt for hashing passwords. + These algorithms are more secure (in particular, much more + resistant to GPU-based attacks) than the traditional SHA + algorithms. + + + --with-group-name-max-length=32 From 337b9c85bc37a4bce073b6bd48a49e735a4bb75b Mon Sep 17 00:00:00 2001 From: Bruce Dubbs Date: Mon, 3 Jul 2023 17:23:14 -0500 Subject: [PATCH 3/5] Fix libxcrypt url --- packages.ent | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages.ent b/packages.ent index 72bdadd2d..5c9e46172 100644 --- a/packages.ent +++ b/packages.ent @@ -432,7 +432,7 @@ - + From b551c5d6021f887e869d2084510fa03e0d297322 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Wed, 5 Jul 2023 02:54:31 +0800 Subject: [PATCH 4/5] dependencies: Perl is a build dependency for Libxcrypt --- appendices/dependencies.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appendices/dependencies.xml b/appendices/dependencies.xml index 54b3d65e0..1d693e064 100644 --- a/appendices/dependencies.xml +++ b/appendices/dependencies.xml @@ -1892,7 +1892,7 @@ &dependencies; Bash, Binutils, Coreutils, Diffutils, Gawk, GCC, Glibc, Grep, - Make, and Sed + Make, Perl, and Sed From f976691d531b7148f60957dba9f27d11669d5722 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Tue, 11 Jul 2023 07:44:39 +0800 Subject: [PATCH 5/5] kernel: Remove CONFIG_SYSFS_DEPRECATED It's already removed from Linux 6.4. Link: https://git.kernel.org/torvalds/linux/c/721da5cee9d4 --- chapter10/kernel.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index c8b12e4d9..c6ed57585 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -163,7 +163,6 @@ General setup ---> < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] [*] Control Group support [CONFIG_CGROUPS] ---> [*] Memory controller [CONFIG_MEMCG] - [ ] Enable deprecated sysfs features to support old userspace tools [CONFIG_SYSFS_DEPRECATED] [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT] General architecture-dependent options ---> [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]