From aea16f699ed1fac8534d6599cc56de694ebf64c2 Mon Sep 17 00:00:00 2001
From: Pierre Labastie <pierre.labastie@neuf.fr>
Date: Fri, 25 Nov 2022 09:30:45 +0100
Subject: [PATCH] Sync shadow "rounds" parameter to blfs

Otherwise, As Xi has noticed, the password set for root at the end
of lfs may use the value 5000 for rounds, and not be changed, even
if later the number of rounds is increased.
---
 chapter08/shadow.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml
index 83c8f6ec9..93d1f3f7e 100644
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@@ -62,7 +62,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
     <para id="shadow-login_defs">Instead of using the default
     <emphasis>crypt</emphasis> method, use the more secure
     <emphasis>SHA-512</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. It is also necessary to change
+    allows passwords longer than 8 characters. In addition, set the number of
+    rounds to 500,000 instead of the default 5000, which is much too low to
+    prevent brute force password attacks. It is also necessary to change
     the obsolete <filename class="directory">/var/spool/mail</filename> location
     for user mailboxes that Shadow uses by default to the <filename
     class="directory">/var/mail</filename> location used currently. And,
@@ -80,6 +82,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
     </note>
 
 <screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
+    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
     -e 's:/var/spool/mail:/var/mail:'                 \
     -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
     -i etc/login.defs</userinput></screen>