From 698edffcffd54e7d81bad0829cee9dd2f0a3a6d7 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 25 Jan 2016 16:50:00 +0100
Subject: pam_unix: Change the salt length for new hashes to 16 characters

* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.
---
 modules/pam_unix/passverify.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'modules/pam_unix/passverify.c')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index e79b55e6..078adc62 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -417,12 +417,9 @@ PAMH_ARG_DECL(char * create_password_hash,
 #endif
 		sp = stpcpy(salt, algoid);
 		if (on(UNIX_ALGO_ROUNDS, ctrl)) {
-			sp += snprintf(sp, sizeof(salt) - 3, "rounds=%u$", rounds);
+			sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
 		}
-		crypt_make_salt(sp, 8);
-		/* For now be conservative so the resulting hashes
-		 * are not too long. 8 bytes of salt prevents dictionary
-		 * attacks well enough. */
+		crypt_make_salt(sp, 16);
 #ifdef HAVE_CRYPT_GENSALT_R
 	}
 #endif
-- 
cgit v1.2.3