Digging into the PAM configuration for the supported #Linux crypt #password hashes.
libxcrypt supports scrypt, yescrypt, and gost-yescrypt, among others.
PAM has a "rounds=n" option specifying the CPU cost. But scrypt, yescrypt, and gost-yescrypt are CPU and RAM intensive. How do you set the other params?
yescrypt handles it for you:
if rounds==0 {
rounds=5
} else if rounds>11 {
return ERROR
} else if rounds<3 {
N=2^(rounds+9)
r=8
p=1
} else {
N=2^(rounds+7)
r=32
p=1
}
I believe gost-yescrypt follows the same logic as yescrypt, although I'm struggling to read the source code.
However, for scrypt, things are a little different:
if rounds==0 {
rounds=7
} else if rounds<6 || rounds> 11{
return ERROR
} else {
N=2^(rounds+7)
r=32
p=1
}
Playing with mkpasswd(1), this is confirmed.
A couple of observations:
1. I don't know what's up with the "..../....." in the scrypt hashes.
2. The N/p/r parameters are base64 encoded. I haven't yet read the source code on how to correctly decode those.
3. However, you can still see the parameters change when the rounds=n parameter increases for each. Look at the second $-delimited field.
https://gist.github.com/atoponce/02451743de5722c33a8fc2b33a4be399
I alternate between these terminal utilities: pwgen, mkpasswd, xkcdpass, diceware, makepasswd.
What I should do when I get bored enough is write a wrapper script that randomly picks one of these utilities to generate a password of the same format.
Or have each utility generate 1 each.
@UncleIroh However, you might also enjoy this Gist. I need to update it as I have some more approaches to shell-based password generators.
https://gist.github.com/atoponce/b542807f389d5af54b2102e7ccdffd95
@UncleIroh Note that mkpasswd(1) makes password hashes, rather than generating passwords.