On 2013/05/13 19:32, Mark Lumsden wrote:
> On Mon, May 13, 2013 at 08:24:43PM +0100, Stuart Henderson wrote:
> > On 2013/05/13 18:35, Mark Lumsden wrote:
> > > Shouldn't the default rounds for blowfish in adduser.perl be the same
> > > as login.conf? ok?
> > >
> > > mark
> > >
> > > Index: adduser.perl
> > > ===================================================================
> > > RCS file: /cvs/src/usr.sbin/adduser/adduser.perl,v
> > > retrieving revision 1.58
> > > diff -u -p -u -p -r1.58 adduser.perl
> > > --- adduser.perl 22 Sep 2011 10:59:23 -0000 1.58
> > > +++ adduser.perl 12 May 2013 20:09:47 -0000
> > > @@ -973,12 +973,12 @@ sub salt {
> > > $salt = "";
> > > } elsif ($encryptionmethod =~ /^blowfish/ ) {
> > > ($encryptionmethod, $salt) = split(/\,/, $encryptionmethod);
> > > - $salt = 7 unless $salt; # default rounds if unspecified
> > > + $salt = 6 unless $salt; # default rounds if unspecified
> > > } else {
> > > warn "$encryptionmethod encryption method invalid\n" if
> > > ($verbose > 0);
> > > - warn "Falling back to blowfish,7...\n" if ($verbose > 0);
> > > + warn "Falling back to blowfish,6...\n" if ($verbose > 0);
> > > $encryptionmethod = "blowfish";
> > > - $salt = 7;
> > > + $salt = 6;
> > > }
> > >
> > > warn "Salt is: $salt\n" if $verbose > 1;
> > >
> >
> > The default number of rounds in login.conf was set to 6 in 2001 when the
> > 1.4GHz p3 xeon was a pretty decent cpu - this number needs to go up, not
> > down.
> >
>
> I agree. tedu suggest 9 for the number of user rounds and 11 for
> root back in 2010. Are these numbers reasonable on most archs?
Actually iirc there was a diff to encrypt(1) to make it automatically
pick a value which wasn't too slow on the machine, which might be a decent
default setting (as long as those who are more concerned about the speed
of attackers machines can raise it above this value).
