login.defs: include SHA_CRYPT_MAX_ROUNDS

Resolves: RHEL-15024

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

shadow-utils.login.defs

@@ -77,6 +77,22 @@ CREATE_HOME	yes
 #
 USERGROUPS_ENAB yes
 
-# Use SHA512 to encrypt password.
+#
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+#
 ENCRYPT_METHOD SHA512
 
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# The values must be within the 1000-999999999 range.
+#
+SHA_CRYPT_MAX_ROUNDS 5000
+

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.6
-Release: 19%{?dist}
+Release: 20%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
@@ -373,6 +373,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Oct 30 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-20
+- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
+
 * Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
 - gpasswd: fix password leak. Resolves: #2215947