A search of the list archive has shown hash_rounds_min, hash_rounds_max and "hash rounds" to have only appeared in the release notes linked to in the announcement of the release of SL 5.2. This suggests the topic of hash rounds control has never been discussed on this list.
If anyone has gotten this feature, or the counter part in login.defs (SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS), to work on any RHEL related distribution, I would appreciate knowing how you did it, because this does not seems to work as the documentation I've found says it should. I know the crypt method must be SHA256 or SHA512. I don't believe hash rounds is working because there is no perceptible delay when the hash is initially created or when it is used to authenticate. This is true even when the range is set to 900000000 to 999000000, near the upper limit allowed. It's true using su at a shell prompt, where there is no GUI setup to obscure the authentication time, even on a slow, dual core PC. It seems that nearly a billion rounds of SHA512 should cause a very noticeable delay, and probably an unusably long delay. On Scientific Linux release 6.3 (Carbon), 2.6.32-279.19.1.el6.x86_64, with no GUI installed, I've used vi to edit /etc/libuser.conf to include "hash_rounds_min = 900000000" and "hash-rounds_max = 999000000" in the [defaults] section. I've also edited /etc/login.defs to include "SHA_CRYPT_MIN_ROUNDS 900000000" and "SHA_CRYPT_MAX_ROUNDS 999000000". I've tried these singly and both together. After the edits I've also tried "authconfig --passalgo=sha256 --update followed by "authconfig --passalgo=sha512 --update". As there is no documented method to change the text configuration files for the hash rounds option, I thought possibly using authconfig might get some other program involved in this to notice the vi changes to the text configuration files. On CentOS release 5.10 (final) I've tried similar steps in libuser.conf; there are no documented counterparts in login.defs. A detailed description is publicly available at: https://www.centos.org/forums/viewtopic.php?f=24&t=44245 If anyone can suggest anything I may have overlooked it would very much be appreciated. If anyone knows or believes this feature to be broken that would also be useful. Thank you. George Shaffer
