shadow/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml
Serge Hallyn f93cf255d4 Update licensing info
Closes #238

Update all files to list SPDX license shortname.  Most files are
BSD 3 clause license.

The exceptions are:

serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause
contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause
lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD
libmisc/salt.c: * SPDX-License-Identifier: Unlicense
src/login_nopam.c: * SPDX-License-Identifier: Unlicense
src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause
src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-23 19:36:50 -06:00

46 lines
1.7 KiB
XML

<!--
SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<varlistentry condition="sha_crypt">
<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
<listitem>
<para>
When <option>ENCRYPT_METHOD</option> is set to
<replaceable>SHA256</replaceable> or
<replaceable>SHA512</replaceable>, this defines the number of SHA
rounds used by the encryption algorithm by default (when the number
of rounds is not specified on the command line).
</para>
<para>
With a lot of rounds, it is more difficult to brute forcing the
password. But note also that more CPU resources will be needed to
authenticate users.
</para>
<para>
If not specified, the libc will choose the default number of rounds
(5000), which is orders of magnitude too low for modern hardware.
</para>
<para>
The values must be inside the 1000-999,999,999 range.
</para>
<para>
If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
<option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this value
will be used.
</para>
<para>
If <option>SHA_CRYPT_MIN_ROUNDS</option> &gt;
<option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will be
used.
</para>
<para condition="pam">
Note: This only affect the generation of group passwords.
The generation of user passwords is done by PAM and subject to the
PAM configuration. It is recommended to set this variable
consistently with the PAM configuration.
</para>
</listitem>
</varlistentry>