From: Tobias Stoeckmann Date: Fri, 19 Dec 2025 11:02:45 +0000 (+0000) Subject: PASS_MAX_LEN.xml: Explain PASS_MAX_LEN use cases X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7255cd93a642ccfcd8cf89f0cbe1085d5c43ca27;p=thirdparty%2Fshadow.git PASS_MAX_LEN.xml: Explain PASS_MAX_LEN use cases The `PASS_MAX_LEN` is effectively only used for DES. Do not describe it in a way that makes it sound like `MD_CRYPT_ENAB=yes` is required to disable it. Any other `ENCRYPT_METHOD` disables it as well. Also, even for DES, `PASS_MAX_LEN` requires `OBSCURE_CHECKS_ENAB` to have any effect. Even more, `PASS_MIN_LEN` and `PASS_MAX_LEN` are only used for user passwords. Group passwords are not checked. Note: All of this is actually true even if compiled with PAM if command line arguments change root. But if compiled with PAM support, this section is not added to manual pages... Since this is true for some more files, it's not part of this commit. Link to source files: - lib/obscure.c line 133 stops further checks, including max length, if OBSCURE_CHECS_ENAB is not yes - lib/obscure.c line 172 is only reached in case of DES - src/passwd.c line 248 duplicates the check for output - src/gpasswd.c has no reference to obscure Signed-off-by: Tobias Stoeckmann --- diff --git a/man/login.defs.d/PASS_MAX_LEN.xml b/man/login.defs.d/PASS_MAX_LEN.xml index 2e1458375..3d29fc543 100644 --- a/man/login.defs.d/PASS_MAX_LEN.xml +++ b/man/login.defs.d/PASS_MAX_LEN.xml @@ -10,10 +10,26 @@ Number of significant characters in the password for crypt(). - is 8 by default. Don't change unless - your crypt() is better. This is ignored if - set to + + + is 8 by default. + Don't change unless your crypt() is better. + + + is only used for DES. + It is ignored if an encryption algorithm other than DES is used, + either because set to + yes or + set to an algorithm other than DES. + + + In addition, is only used if + set to yes. + + Note: This only affects the generation of user passwords. + Group password lengths are not checked. +