[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bootup and login performance

Eero Tamminen dixit:

>(I started a new thread from "Kullervo")

That’s fine, I was reminded a bit of a.s.r threads on Usenet already…

>At least my /etc/pam.d/common-password doesn't have the rounds
>keyword mentioned here:
>	http://forums.debian.net/viewtopic.php?f=30&t=60679&start=30
>so I assume it does the hashing only once?

Of course not! It’s a security thing. I just looked it up:
http://www.akkadia.org/drepper/SHA-crypt.txt says the default
is 5'000 with a minimum of 1'000 and a maximum of 999'999'999.

>> I’ve got no idea how to change the default algorithm back to
>> md5crypt, that’s a debian user question.

Ah, thanks ;-) We do not use PAM on Real BSDs™, so my ignorance
should be excused.

>After changing "sha512" in /etc/pam.d/common-password to "md5",
>login is nearly instant.   Thanks!

Good to know.

>The difference is really huge, somebody should really look into
>that at some point...  Does any of the kernel profiling functionality
>work on m68k port? 

The *intent* of this function is to be slow, so that people
trying to crack into an account are delayed sufficiently,
even on multi-GHz machines. It is *specifically* designed
to be slow.

Anyway, removing “obscure” (to allow me to change my password
at all) and changing “sha512” to “md5” in /etc/pam.d/common-password
made things fast, thanks. I also, in the meantime, discovered where
the defaults come from: /usr/share/pam-configs/unix in libpam-runtime
which unfortunately is arch:all. I’ll be asking the maintainer (vorlon)
whether it’s possible to have different defaults for slow architectures
but, given it’s still somewhat usable, I guess we should just make a
note to change this file into the install documentation.

[...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but
what about xfs, and if only i had waited until reiser4 was ready... in the be-
ginning, there was ffs, and in the middle, there was ffs, and at the end, there
was still ffs, and the sys admins knew it was good. :)  -- Ted Unangst über *fs

Reply to: