Eero Tamminen dixit: >(I started a new thread from "Kullervo")
That’s fine, I was reminded a bit of a.s.r threads on Usenet already… >At least my /etc/pam.d/common-password doesn't have the rounds >keyword mentioned here: > http://forums.debian.net/viewtopic.php?f=30&t=60679&start=30 > >so I assume it does the hashing only once? Of course not! It’s a security thing. I just looked it up: http://www.akkadia.org/drepper/SHA-crypt.txt says the default is 5'000 with a minimum of 1'000 and a maximum of 999'999'999. >> I’ve got no idea how to change the default algorithm back to >> md5crypt, that’s a debian user question. > >http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.11 Ah, thanks ;-) We do not use PAM on Real BSDs™, so my ignorance should be excused. >After changing "sha512" in /etc/pam.d/common-password to "md5", >login is nearly instant. Thanks! Good to know. >The difference is really huge, somebody should really look into >that at some point... Does any of the kernel profiling functionality >work on m68k port? The *intent* of this function is to be slow, so that people trying to crack into an account are delayed sufficiently, even on multi-GHz machines. It is *specifically* designed to be slow. Anyway, removing “obscure” (to allow me to change my password at all) and changing “sha512” to “md5” in /etc/pam.d/common-password made things fast, thanks. I also, in the meantime, discovered where the defaults come from: /usr/share/pam-configs/unix in libpam-runtime which unfortunately is arch:all. I’ll be asking the maintainer (vorlon) whether it’s possible to have different defaults for slow architectures but, given it’s still somewhat usable, I guess we should just make a note to change this file into the install documentation. bye, //mirabilos -- [...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but what about xfs, and if only i had waited until reiser4 was ready... in the be- ginning, there was ffs, and in the middle, there was ffs, and at the end, there was still ffs, and the sys admins knew it was good. :) -- Ted Unangst über *fs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
