Currently, you can change the password hashing algorithm used by crypt()
with the passwd_format in /etc/login.conf

However, as far as I could find, you cannot change the number of
'rounds', the dynamic adjustment factor using in bcrypt, and
sha256crypt, and sha512crypt.

bcrypt uses a log number, the default is 4 (so 2^4 rounds). The minimum
is currently 4, and the maximum 31

sha256 and sha512crypt default to 5000, with a minimum of 1000 and a
maximum of 999999999

OpenBSD implements this in login.conf with 'localcipher' similar to our
'passwd_format', except it takes an optional 2nd parameter, the number
of log2() rounds.

Arch implements this in pam_unix with rounds=

For compatibility, it might make most sense to use a separate variable
rather than adding the optional parameter to the existing passwd_format,
so older boxes do not choke on it.


Allan Jude

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to