[Pkg-shadow-devel] redhat patches

Peter Vrabec pvrabec at redhat.com
Mon Nov 19 15:36:26 UTC 2007


I asked Ulrich D. about some things that were not clear about SHA-256/512.

> Are we supposed to use "rounds=NNN" parameter in  the salt string? Is it
> possible in future, that glibc change default rounds value?
The default is not going to change but the requirements will.  You need
to have a way to allow the sysadmin to specify the rounds and then use
the value.  Even better, allow specifying a range and choose a random
value in that range.

> I don't think that is true. IMO, the varying size adds less than one
> bit of entropy. So moving from 8 to 16 adds much more entropy.
??  Have you looked at the inner loop?  In several places we are adding
a number of bytes corresponding to the length of the salt string.

> I don't think that is important though, I don't think having a fixed
> size entropy is interesting neither and having a minimum of 8 bytes
> is quite good. (shadow-utils upstream)
> Are we OK with 8 bytes?
I think it should be a random value from 8 to 16.  This is for brute
force attacks.

More information about the Pkg-shadow-devel mailing list