shadow: Allow using bcrypt and yescrypt, and use yescrypt as the default

Yescrypt is the current default password hashing algorithm of Fedora and Debian. See [1] for its advantage. Now we have libxcrypt providing the implementation of bcrypt and yescrypt, we can switch to yescrypt as well. We also don't need to adjust the rounds for SHA512 anymore. [1]:https://www.fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description
2025-01-31 11:21:59 +00:00 · 2023-07-03 21:28:36 +08:00 · 2023-07-03 21:28:36 +08:00 · c2325070af
commit c2325070af
parent f4313a75c8
1 changed files with 25 additions and 11 deletions
--- a/chapter08/shadow.xml
+++ b/chapter08/shadow.xml
@ -60,11 +60,10 @@ find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
 find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></screen>

    <para id="shadow-login_defs">Instead of using the default
-    <emphasis>crypt</emphasis> method, use the more secure
-    <emphasis>SHA-512</emphasis> method of password encryption, which also
-    allows passwords longer than 8 characters. In addition, set the number of
-    rounds to 500,000 instead of the default 5000, which is much too low to
-    prevent brute force password attacks. It is also necessary to change
+    <emphasis>crypt</emphasis> method, use the much more secure
+    <emphasis>YESCRYPT</emphasis> method of password encryption, which also
+    allows passwords longer than 8 characters.
+    It is also necessary to change
    the obsolete <filename class="directory">/var/spool/mail</filename> location
    for user mailboxes that Shadow uses by default to the <filename
    class="directory">/var/mail</filename> location used currently. And,
@ -81,8 +80,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
      built.</para>
    </note>

-<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
-    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
+<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \
    -e 's:/var/spool/mail:/var/mail:'                   \
    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                  \
    -i etc/login.defs</userinput></screen>
@ -108,6 +106,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
 <screen><userinput remap="configure">touch /usr/bin/passwd
 ./configure --sysconfdir=/etc   \
            --disable-static    \
+            --with-{b,yes}crypt \
            --with-group-name-max-length=32</userinput></screen>

    <variablelist>
@ -122,6 +121,21 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></s
          create it in the wrong place.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><parameter>--with-{b,yes}crypt</parameter></term>
+        <listitem>
+          <para>The shell expands this to two switches,
+          <parameter>--with-bcrypt</parameter> and
+          <parameter>--with-yescrypt</parameter>.  They allow shadow to use
+          the Bcrypt and Yescrypt algorithms implemented by
+          <application>Libxcrypt</application> for hashing passwords.
+          These algorithms are more secure (in particular, much more
+          resistant to GPU-based attacks) than the traditional SHA
+          algorithms.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><parameter>--with-group-name-max-length=32</parameter></term>
        <listitem>