From: Marcin Krol Date: Sat, 6 Jul 2024 19:03:16 +0000 (+0200) Subject: - updated to 4.16.0, updated login.defs X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=HEAD;p=packages%2Fshadow.git - updated to 4.16.0, updated login.defs --- diff --git a/shadow-login.defs b/shadow-login.defs index ef79651..18e3f50 100644 --- a/shadow-login.defs +++ b/shadow-login.defs @@ -149,6 +149,11 @@ ERASECHAR 0177 KILLCHAR 025 UMASK 077 +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +#HOME_MODE 0700 + # # Password aging controls: # @@ -201,7 +206,7 @@ CHFN_RESTRICT rwh # # Should login be allowed if we can't cd to the home directory? -# Default in no. +# Default is no. # DEFAULT_HOME yes @@ -265,37 +270,86 @@ CONSOLE /etc/securecty #MD5_CRYPT_ENAB no # -# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # # Note: It is recommended to use a value consistent with # the PAM modules configuration. # -ENCRYPT_METHOD SHA512 +ENCRYPT_METHOD YESCRYPT # -# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute forcing the password. -# But note also that it more CPU resources will be needed to authenticate -# users. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. # -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be inside the 1000-999999999 range. +# If not specified, the libc will choose the default number of rounds (5000), +# which is orders of magnitude too low for modern hardware. +# The values must be within the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # -# SHA_CRYPT_MIN_ROUNDS 5000 -# SHA_CRYPT_MAX_ROUNDS 5000 +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to YESCRYPT. +# +# Define the YESCRYPT cost factor. +# With a higher cost factor, it is more difficult to brute-force the password. +# However, more CPU time and more memory will be needed to authenticate users +# if this value is increased. +# +# If not specified, a cost factor of 5 will be used. +# The value must be within the 1-11 range. +# +#YESCRYPT_COST_FACTOR 5 + +# +# The pwck(8) utility emits a warning for any system account with a home +# directory that does not exist. Some system accounts intentionally do +# not have a home directory. Such accounts may have this string as +# their home directory in /etc/passwd to avoid a spurious warning. +# +NONEXISTENT /nonexistent + +# +# Allow newuidmap and newgidmap when running under an alternative +# primary group. +# +#GRANT_AUX_GROUP_SUBIDS yes + +# +# Prevents an empty password field to be interpreted as "no authentication +# required". +# Set to "yes" to prevent for all accounts +# Set to "superuser" to prevent for UID 0 / root (default) +# Set to "no" to not prevent for any account (dangerous, historical default) +PREVENT_NO_AUTH superuser + +# +# Select the HMAC cryptography algorithm. +# Used in pam_timestamp module to calculate the keyed-hash message +# authentication code. +# +# Note: It is recommended to check hmac(3) to see the possible algorithms +# that are available in your system. +# +#HMAC_CRYPTO_ALGO SHA512 ################# OBSOLETED BY PAM ############## # # -# These options are now handled by PAM. Please # -# edit the appropriate file in /etc/pam.d/ to # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # # enable the equivelants of them. # # # ################################################# diff --git a/shadow.spec b/shadow.spec index f5c715f..7005cc1 100644 --- a/shadow.spec +++ b/shadow.spec @@ -10,13 +10,13 @@ Summary(pl.UTF-8): Narzędzia do obsługi mechanizmu ukrytych haseł Summary(pt_BR.UTF-8): Utilitários para o arquivo de senhas Shadow Summary(tr.UTF-8): Gölge parola dosyası araçları Name: shadow -Version: 4.15.1 +Version: 4.16.0 Release: 1 Epoch: 1 License: BSD Group: Applications/System Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/%{name}-%{version}.tar.xz -# Source0-md5: 006b0856abd49b5e7b45b7cb78ca272a +# Source0-md5: eb70bad3316d08f0d3bb3d4bbeccb3b4 Source2: %{name}-login.defs Source3: %{name}.useradd Source10: chage.pamd @@ -680,5 +680,5 @@ fi %lang(fr) %{_mandir}/fr/man1/newuidmap.1* %lang(fr) %{_mandir}/fr/man5/subgid.5* %lang(fr) %{_mandir}/fr/man5/subuid.5* -%ghost %{_libdir}/libsubid.so.4 +%ghost %{_libdir}/libsubid.so.5 %attr(755,root,root) %{_libdir}/libsubid.so.*.*.*