Feature Proposal: 'rounds' tuneables for crypt() algorithms
Allan Jude
freebsd at allanjude.com
Fri Feb 28 01:28:47 UTC 2014
Currently, you can change the password hashing algorithm used by crypt()
with the passwd_format in /etc/login.conf
However, as far as I could find, you cannot change the number of
'rounds', the dynamic adjustment factor using in bcrypt, and
sha256crypt, and sha512crypt.
bcrypt uses a log number, the default is 4 (so 2^4 rounds). The minimum
is currently 4, and the maximum 31
sha256 and sha512crypt default to 5000, with a minimum of 1000 and a
maximum of 999999999
OpenBSD implements this in login.conf with 'localcipher' similar to our
'passwd_format', except it takes an optional 2nd parameter, the number
of log2() rounds.
Arch implements this in pam_unix with rounds=
For compatibility, it might make most sense to use a separate variable
rather than adding the optional parameter to the existing passwd_format,
so older boxes do not choke on it.
Thoughts?
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140227/87d2efa8/attachment.sig>
More information about the freebsd-current
mailing list