[RFE] pbkdf2 hardcoded parameters should be turned into configuration options

[vashirov]

This is related to #5356

One example is the password hashing round value that is currently hardcoded and can be seen as not secure anymore. Certain compliance requirements (like from BSI) require specific hashing round values greater than what we currently provide.

Cloned from https://issues.redhat.com/browse/RHEL-42485

[Firstyear]

The rust versions of this aren't affected by this as they can have the values ramped up iirc.

[tbordaz]

The rust versions of this aren't affected by this as they can have the values ramped up iirc.

My understanding is that, regarding for example rounds number, we should make PBKDF2_ROUNDS configurable. Am I missing something ?

[Firstyear]

We should just be incrementing this value server side over time instead, rather than letting people configure it - not everything should be a config, we should just have good defaults.

[tbordaz]

I agree we should pick good defaults (like 10.000 iterations) but why preventing an administrator to tune it ?
Regarding security the administrator is able to tune its sslversion/ciphers/client_auth... to improve the security of the server. Similarly the number of iterations contribute to make the attacks more difficult and administrator should be able to tune it.
We can see that the recommended value increased in the past so 10.000 has no reason to be the final limit.