Sync shadow "rounds" parameter to blfs

Otherwise, As Xi has noticed, the password set for root at the end of lfs may use the value 5000 for rounds, and not be changed, even if later the number of rounds is increased.
2025-06-18 19:29:21 +01:00 · 2022-11-25 09:30:45 +01:00 · 2022-11-25 09:30:45 +01:00 · aea16f699e
commit aea16f699e
parent 9a23a75c5d
1 changed files with 4 additions and 1 deletions
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@ -62,7 +62,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
    <para id="shadow-login_defs">Instead of using the default
    <emphasis>crypt</emphasis> method, use the more secure
    <emphasis>SHA-512</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. It is also necessary to change
+    allows passwords longer than 8 characters. In addition, set the number of
+    rounds to 500,000 instead of the default 5000, which is much too low to
+    prevent brute force password attacks. It is also necessary to change
    the obsolete <filename class="directory">/var/spool/mail</filename> location
    for user mailboxes that Shadow uses by default to the <filename
    class="directory">/var/mail</filename> location used currently. And,
@ -80,6 +82,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
    </note>

 <screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
+    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
    -e 's:/var/spool/mail:/var/mail:'                 \
    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
    -i etc/login.defs</userinput></screen>