Stuart Henderson <s...@spacehopper.org> wrote: > On 2020/05/22 17:06, Daniel Jakots wrote: > > Hi, > > > > We used to have different numbers of blowfish rounds between the > > default and daemon classes in login.conf. On Jun 26, 2016, tedu > > committed "upgrade selected login.conf to use auto rounds for bcrypt" > > for amd64, sparc64, i386, and maccpc [1]. > > > > Since the class daemon inherits from the default class, the > > :localcipher=blowfish,a:\ > > is a duplicate. > > > > Here's a diff to remove them. > > I'm OK with unifying these settings, but FWIW I never switched to auto > for these, it doesn't seem all that sensible for somebody with the ability > to generate enough load on the machine to be able to reduce the strength > of bcrypt down to the 64 (2^6) rounds minimum.
Yes, that is problematic. The minimum should be probably be raised, we should consider if auto should even exist anymore.
