shadow: Allow using bcrypt and yescrypt, and use yescrypt as the default

Yescrypt is the current default password hashing algorithm of Fedora and Debian. See [1] for its advantage. Now we have libxcrypt providing the implementation of bcrypt and yescrypt, we can switch to yescrypt as well. We also don't need to adjust the rounds for SHA512 anymore. [1]:https://www.fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description
2025-01-31 11:21:59 +00:00 · 2023-07-03 21:28:36 +08:00 · 2023-07-03 21:28:36 +08:00 · c2325070af
commit c2325070af
parent f4313a75c8
1 changed files with 25 additions and 11 deletions
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
 find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></screen>
    <para id="shadow-login_defs">Instead of using the default
-    <emphasis>crypt</emphasis> method, use the more secure
+    <emphasis>crypt</emphasis> method, use the much more secure
-    <emphasis>SHA-512</emphasis> method of password encryption, which also
+    <emphasis>YESCRYPT</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. In addition, set the number of
+    allows passwords longer than 8 characters.
-    rounds to 500,000 instead of the default 5000, which is much too low to
+    It is also necessary to change
    prevent brute force password attacks. It is also necessary to change
    the obsolete <filename class="directory">/var/spool/mail</filename> location
    for user mailboxes that Shadow uses by default to the <filename
    class="directory">/var/mail</filename> location used currently. And,
@ -81,10 +80,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
      built.</para>
    </note>
-<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
+<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \
-    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
+    -e 's:/var/spool/mail:/var/mail:'                   \
-    -e 's:/var/spool/mail:/var/mail:'                 \
+    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                  \
    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
    -i etc/login.defs</userinput></screen>
    <note>
@ -106,8 +104,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
    <para>Prepare Shadow for compilation:</para>
 <screen><userinput remap="configure">touch /usr/bin/passwd
-./configure --sysconfdir=/etc \
+./configure --sysconfdir=/etc   \
-            --disable-static  \
+            --disable-static    \
            --with-{b,yes}crypt \
            --with-group-name-max-length=32</userinput></screen>
    <variablelist>
@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
          create it in the wrong place.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><parameter>--with-{b,yes}crypt</parameter></term>
        <listitem>
          <para>The shell expands this to two switches,
          <parameter>--with-bcrypt</parameter> and
          <parameter>--with-yescrypt</parameter>.  They allow shadow to use
          the Bcrypt and Yescrypt algorithms implemented by
          <application>Libxcrypt</application> for hashing passwords.
          These algorithms are more secure (in particular, much more
          resistant to GPU-based attacks) than the traditional SHA
          algorithms.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><parameter>--with-group-name-max-length=32</parameter></term>
        <listitem>