From owner-freebsd-current@FreeBSD.ORG Fri Feb 28 01:28:47 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73502573 for ; Fri, 28 Feb 2014 01:28:47 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 4C36D1C57 for ; Fri, 28 Feb 2014 01:28:46 +0000 (UTC) Received: from [10.1.1.1] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allan.jude@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id DDCA5616E3 for ; Fri, 28 Feb 2014 01:28:45 +0000 (UTC) Message-ID: <530FE64A.4090808@allanjude.com> Date: Thu, 27 Feb 2014 20:28:42 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: FreeBSD Current Subject: Feature Proposal: 'rounds' tuneables for crypt() algorithms X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Wi4VtxjiROCroSTRqwtBResvJkNuRvOgb" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Feb 2014 01:28:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Wi4VtxjiROCroSTRqwtBResvJkNuRvOgb Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Currently, you can change the password hashing algorithm used by crypt() with the passwd_format in /etc/login.conf However, as far as I could find, you cannot change the number of 'rounds', the dynamic adjustment factor using in bcrypt, and sha256crypt, and sha512crypt. bcrypt uses a log number, the default is 4 (so 2^4 rounds). The minimum is currently 4, and the maximum 31 sha256 and sha512crypt default to 5000, with a minimum of 1000 and a maximum of 999999999 OpenBSD implements this in login.conf with 'localcipher' similar to our 'passwd_format', except it takes an optional 2nd parameter, the number of log2() rounds. Arch implements this in pam_unix with rounds=3D For compatibility, it might make most sense to use a separate variable rather than adding the optional parameter to the existing passwd_format, so older boxes do not choke on it. Thoughts? --=20 Allan Jude --Wi4VtxjiROCroSTRqwtBResvJkNuRvOgb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTD+ZNAAoJEJrBFpNRJZKfmXsQAMAwqeYCixRTqjZ9OU1N8bSz B4W5kwjFNC7jCr2p/7ann3EXKFvFowa6WREzBlaVrD/FEhX4xpkp4+lk1xmp72ys i+O+WuwbmAeZGJsUpuO0yJ9UEHHoCCerwlU+3RyXvBSB0QSEB3pPE/d88K0tHhEa vIRWSWCiESbcNvmZzVtR4cLEgXFGqbbrDH+e7PLJAleXMvMepyU0s6iaHduWMifQ em6zYeZic54Q7uwipd6HQV0uD4j3IlDoFhb/+Tfph11PIaLguOispLV4WkrvCHnE TpSM+HAKs2HqWuBchuCUEiuMZjlVf96nab3jW4xfJMNTRedA35do2Eam8NuUBkvg 7L5RQUG9q3jLUTNOtjE0kyVBSGczuk6iIp5rN+e/33XPxb6Tl82Ua7YKNpzzQ/6C xDc89oB2+7mcbuH2MUJwTPM6PD8dZTA7YmuAQ1j0058AVd+MNb4/D2zyxkJYpQhm xQ0Pij4hNCEPJOf8tOpjv7wny3HZyN3MSKVmx9lih+KwSTRrxlxCsalKrnO1aiu2 AabTFT3Ynsim1mV9p2feaqn91+Xm/snDWfYkovPZjuGyykZGxa4bjJ68S/GUo0Rn GfEUMTiwP3dCyet8wjl+zQv4OdEJUXTF/jd+fDk56nZXdOdULlS1jxZDIXvdOlXW +q3Dv9kZlTKBcoyssLIn =cuN7 -----END PGP SIGNATURE----- --Wi4VtxjiROCroSTRqwtBResvJkNuRvOgb--