make sha rounds configurable and increase no of rounds (#452)

* make sha rounds configurable and increase no of rounds Fixes #365 Signed-off-by: rndmh3ro <github@gumpri.ch> * Prettified Code! * make password rounds configurable in pam system-auth Signed-off-by: rndmh3ro <github@gumpri.ch> * change wording of sha rounds documentation Co-authored-by: schurzi <Martin.Schurz@t-systems.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
dev-sec · Jun 30, 2021 · 9cefddd · 9cefddd
1 parent c769db4
commit 9cefddd
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -193,6 +193,12 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+- `os_sha_crypt_min_rounds`
+  - Default: `640000`
+  - Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
+- `os_sha_crypt_max_rounds`
+  - Default: `640000`
+  - Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
 
 ## Packages
 

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -321,3 +321,9 @@ os_selinux_policy: targeted
 
 # Mount options for proc in /etc/fstab.
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
+
+# Define the number of SHA rounds.
+# With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users.
+# The values must be inside the 1000-999999999 range.
+os_sha_crypt_min_rounds: "640000"
+os_sha_crypt_max_rounds: "640000"
diff --git a/roles/os_hardening/templates/etc/login.defs.j2 b/roles/os_hardening/templates/etc/login.defs.j2
@@ -170,11 +170,11 @@ MD5_CRYPT_ENAB    no
 ENCRYPT_METHOD    SHA512
 
 # Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
+# With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users.
 # If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
-#SHA_CRYPT_MIN_ROUNDS    5000
-#SHA_CRYPT_MAX_ROUNDS    5000
+SHA_CRYPT_MIN_ROUNDS    {{ os_sha_crypt_min_rounds }}
+SHA_CRYPT_MAX_ROUNDS    {{ os_sha_crypt_max_rounds }}
 
 
 # Obsoleted by PAM

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -38,7 +38,7 @@ password    requisite     pam_pwquality.so {{ os_auth_pam_pwquality_options }}
 {# NSA 2.3.3.6 Limit Password Reuse #}
 password    requisite     pam_pwhistory.so remember=5 use_authtok
 {# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
-password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok rounds={{ os_sha_crypt_min_rounds }}
 {% if (os_auth_pam_sssd_enable | bool) %}
 password    sufficient    pam_sss.so use_authtok
 {% endif %}