SHA_CRYPT_MIN_ROUNDS should be increased in login.defs

[joubbi]

Running Lynis against a hardened CentOS 7 gives this:

  * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] 
      https://cisofy.com/lynis/controls/AUTH-9229/

  * Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
      https://cisofy.com/lynis/controls/AUTH-9230/

The login.defs has the default values 5000 commented out.

The manual for login.defs states this:

    With a lot of rounds, it is more difficult to brute forcing the password. 

       But note also that more CPU resources will be needed to authenticate users.

       If not specified, the libc will choose the default number of
       rounds (5000), which is orders of magnitude too low for
       modern hardware.

Describe the solution you'd like
I think there should be a variable for the SHA_CRYPT_MIN_ROUNDSand SHA_CRYPT_MAX_ROUNDS with a default value of 10000 or more.
Also the same value should then be used for the rounds option in /etc/pam.d/system-auth.

Additional context
https://gitlab.tails.boum.org/tails/tails/-/issues/15053

[schurzi]

our Puppet implementation has this already specified, I think we will take the same value for Ansible

[schurzi]

interesting bit from the man page:

           Note: This only affect the generation of group passwords. The
           generation of user passwords is done by PAM and subject to
           the PAM configuration. It is recommended to set this variable
           consistently with the PAM configuration.

so setting this in login.defs alone will not be enough, we also need to set this in the pam configuration. see: https://wiki.archlinux.org/index.php/SHA_password_hashes

[schurzi]

In short, changing SHA_CRYPT_MIN_ROUNDS in login.defs is enough (assuming you're using sha256 or sha512).

I did check this some time ago and just did a re-check. from what I see in my configuration (CentOS7) the explicit declaration of rounds= as a parameter to pam_unix.so is required to change the behaviour.

Can you explain further, how you did your tests to establish correct behaviour?

a rough example of what I did:

• change /etc/login.defs
• passwd
• check /etc/shadow (password hash should contain the number of rounds) -> this is not the case, so this is not working
• change /etc/pam.d/system-auth to add rounds= as a parameter to pam_unix.so
• passwd
• check /etc/shadow -> correct behaviour

You can further verify the correct behaviour by specifying a really large number of rounds. You will notice, that updating passwords takes considerbaly longer with larger number of rounds.

[rndmh3ro]

Okay, let's add this to pam, too, then.
For RHEL we already configure system-auth. Sincewe don't have any support yet for the other OS, I'll only add it to RHEL..

[schurzi]

Thanks for re-checking, this would have hit my own configs.

Sure. Thank you for providing further information to us. :)

Generally speaking, we want to support a wide range of linux distributions, so we will stick to specifying rounds in pam config. But I'm really interested in seeing how this evolves and when we can rely on login.defs alone.