Package: libpam-modules Version: 1.4.0-10 Severity: normal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
In /etc/pam.d/common-password I have the following: password [success=1 default=ignore] pam_unix.so obscure yescrypt rounds=2097152 I've experiemented with various values of the rounds parameter, but no value I can put in produces a difference in the shadow file, or in the time to hash a password. According to the documentation for the yescrypt algorithm, the N parameter must be a power of two. Here's an example: with rounds=524288 bminton:$y$j9T$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:18969:0:99999:7::: and with rounds=16777216 bminton:$y$j9T$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:18969:0:99999:7::: Note that the parameters section of the modular crypt entry, j9T is the same in both cases. I've also confirmed that when using sha256, sha512, or blowfish (for bcrypt) options, the shadow file contains the correct rounds parameter. It's also worth noting that with sha256 or sha512, the rounds parameter is the actual number of rounds, while with blowfish the rounds parameter is raised to the power of 2. I've tried both sizes of integers for yescrypt but haven't ever seen any change in the output. - - -- System Information: Debian Release: 11.1 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_USER Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-modules depends on: ii debconf [debconf-2.0] 1.5.77 ii libaudit1 1:3.0-2 ii libc6 2.32-5 ii libcrypt1 1:4.4.18-4 ii libdb5.3 5.3.28+dfsg1-0.8 ii libnsl2 1.3.0-2 ii libpam-modules-bin 1.4.0-10 ii libpam0g 1.4.0-9+deb11u1 ii libselinux1 3.1-3 ii libtirpc3 1.3.1-1 libpam-modules recommends no packages. libpam-modules suggests no packages. - - -- debconf information: libpam-modules/profiles-disabled: * libpam-modules/disable-screensaver: libpam-modules/deprecate-tally: -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQT5xLt2Dng/DewQpoprjrOgZc+6qQUCYbE4uAAKCRBrjrOgZc+6 qZPNAP9uA/ML3jPJ2Dqc3Gj59zlM7rlPI7sLD5JAvt1JPS0JKAD7BXO5ngx5wwUv Rgq202b3p7pfLAf+DlhvSoZLNlXiX9k= =45LD -----END PGP SIGNATURE-----
