-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SHA_CRYPT_MIN_ROUNDS should be increased in login.defs #365
Comments
our Puppet implementation has this already specified, I think we will take the same value for Ansible |
interesting bit from the man page:
so setting this in |
Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch>
Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch>
Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch>
I did check this some time ago and just did a re-check. from what I see in my configuration (CentOS7) the explicit declaration of Can you explain further, how you did your tests to establish correct behaviour? a rough example of what I did:
You can further verify the correct behaviour by specifying a really large number of rounds. You will notice, that updating passwords takes considerbaly longer with larger number of rounds. |
Okay, let's add this to pam, too, then. |
Sure. Thank you for providing further information to us. :) Generally speaking, we want to support a wide range of linux distributions, so we will stick to specifying |
* make sha rounds configurable and increase no of rounds Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch> * Prettified Code! * make password rounds configurable in pam system-auth Signed-off-by: rndmh3ro <github@gumpri.ch> * change wording of sha rounds documentation Co-authored-by: schurzi <Martin.Schurz@t-systems.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* make sha rounds configurable and increase no of rounds Fixes dev-sec#365 Signed-off-by: rndmh3ro <github@gumpri.ch> * Prettified Code! * make password rounds configurable in pam system-auth Signed-off-by: rndmh3ro <github@gumpri.ch> * change wording of sha rounds documentation Co-authored-by: schurzi <Martin.Schurz@t-systems.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
Running Lynis against a hardened CentOS 7 gives this:
The login.defs has the default values 5000 commented out.
The manual for login.defs states this:
Describe the solution you'd like
I think there should be a variable for the
SHA_CRYPT_MIN_ROUNDS
andSHA_CRYPT_MAX_ROUNDS
with a default value of 10000 or more.Also the same value should then be used for the rounds option in
/etc/pam.d/system-auth
.Additional context
https://gitlab.tails.boum.org/tails/tails/-/issues/15053
The text was updated successfully, but these errors were encountered: