On Wed, 2013-02-06 at 19:42 +0400, Dmitry V. Levin wrote:
On Wed, Feb 06, 2013 at 04:08:05PM +0100, Thorsten Kukuk wrote:
On Wed, Feb 06, Dmitry V. Levin wrote:
Besides that it allows invalid configurations, it still doesn't support some valid ones, e.g. encryption related rounds= option would be silently ignored,
Why would rounds= options be silently ignored?
When the option returned by search_key() has a value (like rounds= usually does), that value is silently ignored.
It's only a way to set the default consistent, for finetuning, none of the current options are removed, disabled, restricted, or whatever else.
If all this option can specify is the name of password hashing algorithm, then it would be only logical if it wouldn't try to accept anything besides that, and appropriate diagnostics would certainly help to diagnose a typo or any other kind of invalid usage.
Yes, that is a valid argument.
And yes, it is a password hashing method rather than generic encrypt method, wouldn't it be better to call this new /etc/login.defs parameter, e.g. PASSWORD_HASHING_METHOD instead of ENCRYPT_METHOD?
ENCRYPT_METHOD is already established by shadow-utils. Changing it would be pointless.