Shadow and PAM: Switch to Yescrypt

Attention - you must have libxcrypt for this.  If you are running an old
LFS release, install libxcrypt, then rebuild Shadow --with-yescrypt.

Technically if Shadow is built with PAM, then --with-{b,yes}crypt
switches are not necessary (but also do no harm).  Just keep it there to
sync with LFS and prevent people building Shadow w/o PAM being locked
out of their system.

postlfs/security/libpwquality.xml

@@ -149,12 +149,11 @@ password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                          dictcheck=1 usercheck=1 \
                                          enforcing=1 badwords="" \
                                          dictpath=/usr/lib/cracklib/pw_dict
-# use sha512 hash for encryption, use shadow, and use the
-# authentication token (chosen password) set by pam_pwquality
-# above (or any previous modules). Also set the number of crypt rounds
-# to the value used in shadow.
-password  required    pam_unix.so        sha512 shadow use_authtok \
-                                         rounds=500000
+
+# use yescrypt hash for encryption, use shadow, and try to use any
+# previously defined authentication token (chosen password) set by any
+# prior module.
+password  required    pam_unix.so        yescrypt shadow try_first_pass
 
 # End /etc/pam.d/system-password</literal>
 EOF

postlfs/security/linux-pam.xml

@@ -342,11 +342,10 @@ EOF
 cat > /etc/pam.d/system-password << "EOF"
 <literal># Begin /etc/pam.d/system-password
 
-# use sha512 hash for encryption, use shadow, and try to use any previously
-# defined authentication token (chosen password) set by any prior module.
-# Use the same number of rounds as shadow.
-password  required    pam_unix.so       sha512 shadow try_first_pass \
-                                        rounds=500000
+# use yescrypt hash for encryption, use shadow, and try to use any
+# previously defined authentication token (chosen password) set by any
+# prior module.
+password  required    pam_unix.so       yescrypt shadow try_first_pass
 
 # End /etc/pam.d/system-password</literal>
 EOF
@@ -359,63 +358,6 @@ EOF
        PAM module with strong password support.
      </para>
 
-<!-- With the removal of the pam_cracklib module, we're supposed to be using
-     libpwquality. That already includes instructions in its configuration
-     information page, so we'll use those instead.
-
-     Linux-PAM must be installed prior to libpwquality so that PAM support
-     is built in, and the PAM module is built.
--->
-<!-- WARNING: If for any reason the instructions below are reinstated be
-     careful with the number of rounds, which should match the one in shadow.
-      <para>
-        The remaining generic file depends on whether <xref
-        linkend="cracklib"/> is installed.  If it is installed, use:
-      </para>
-
-<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/system-password
-
-# check new passwords for strength (man pam_cracklib)
-password  required    pam_cracklib.so    authtok_type=UNIX retry=1 difok=5 \
-                                         minlen=9 dcredit=1 ucredit=1 \
-                                         lcredit=1 ocredit=1 minclass=0 \
-                                         maxrepeat=0 maxsequence=0 \
-                                         maxclassrepeat=0 \
-                                         dictpath=/lib/cracklib/pw_dict
-# use sha512 hash for encryption, use shadow, and use the
-# authentication token (chosen password) set by pam_cracklib
-# above (or any previous modules)
-password  required    pam_unix.so        sha512 shadow use_authtok
-
-# End /etc/pam.d/system-password</literal>
-EOF</userinput></screen>
-
-      <note>
-        <para>
-          In its default configuration, pam_cracklib will
-          allow multiple case passwords as short as 6 characters, even with
-          the <parameter>minlen</parameter> value set to 11. You should review
-          the pam_cracklib(8) man page and determine if these default values
-          are acceptable for the security of your system.
-        </para>
-      </note>
-
-      <para>
-        If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
-        use:
-      </para>
-
-<screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/system-password
-
-# use sha512 hash for encryption, use shadow, and try to use any previously
-# defined authentication token (chosen password) set by any prior module
-password  required    pam_unix.so       sha512 shadow try_first_pass
-
-# End /etc/pam.d/system-password</literal>
-EOF</userinput></screen>
--->
       <para>
         Next, add a restrictive <filename>/etc/pam.d/other</filename>
         configuration file.  With this file, programs that are PAM aware will

postlfs/security/shadow.xml

@@ -131,14 +131,14 @@ find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \; &&
 find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
 find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \; &&
 
-sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
-    -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@'       \
-    -e 's@/var/spool/mail@/var/mail@'                 \
-    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                \
-    -i etc/login.defs                                 &&
+sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' \
+    -e 's@/var/spool/mail@/var/mail@'                   \
+    -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'                  \
+    -i etc/login.defs                                   &&
 
 ./configure --sysconfdir=/etc               \
             --disable-static                \
+            --with-{b,yes}crypt             \
             --with-group-name-max-length=32 &&
 make</userinput></screen>
 
@@ -181,14 +181,12 @@ make</userinput></screen>
     </para>
 
     <para>
-      <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
-        's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' -e
+      <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' -e
         's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
         -i etc/login.defs</command>: Instead of using the default 'DES'
-      method, this command modifies the installation to use the more secure
-      'SHA512' method of hashing passwords, which also allows passwords
-      longer than eight characters. The number of rounds is also increased
-      to prevent brute force password attacks. The command also changes the
+      method, this command modifies the installation to use the much more
+      secure 'YESCRYPT' method of hashing passwords, which also allows
+      passwords longer than eight characters.  The command also changes the
       obsolete <filename class="directory">/var/spool/mail</filename> location
       for user mailboxes that <application>Shadow</application> uses by
       default to the <filename class="directory">/var/mail</filename>