make sha rounds configurable and increase no of rounds

Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch>
dev-sec · Jun 28, 2021 · 8555544 · 8555544
1 parent d72db60
commit 8555544
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -193,7 +193,12 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
-
+- `os_sha_crypt_min_rounds`
+  - Default: `640000`
+  - Description: Define the number of minimum SHA rounds. With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.  The values must be inside the 1000-999999999 range.
+- `os_sha_crypt_max_rounds`
+  - Default: `640000`
+  - Description: Define the number of maximum SHA rounds. With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.  The values must be inside the 1000-999999999 range.
 ## Packages
 
 We remove the following packages:

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -321,3 +321,9 @@ os_selinux_policy: targeted
 
 # Mount options for proc in /etc/fstab.
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
+
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
+# The values must be inside the 1000-999999999 range.
+os_sha_crypt_min_rounds: "640000"
+os_sha_crypt_max_rounds: "640000"
diff --git a/roles/os_hardening/templates/etc/login.defs.j2 b/roles/os_hardening/templates/etc/login.defs.j2
@@ -173,8 +173,8 @@ ENCRYPT_METHOD    SHA512
 # With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
 # If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
-#SHA_CRYPT_MIN_ROUNDS    5000
-#SHA_CRYPT_MAX_ROUNDS    5000
+SHA_CRYPT_MIN_ROUNDS    {{ os_sha_crypt_min_rounds }}
+SHA_CRYPT_MAX_ROUNDS    {{ os_sha_crypt_max_rounds }}
 
 
 # Obsoleted by PAM