pamstretch-gen

Scale up a PAM image by the specified decimal factor

$ pamstretch-gen [n] [path/to/image.pam] > [path/to/output.pam]

pamstretch-gen [--force] [--rounds=<value>] [--min-delay=<value>] [--max-delay=<value>] [--hash=<value>] [--method=<value>] [--salt=<value>] <path-to-pam_stretch.conf>

--force
    Overwrites an existing pam_stretch.conf file without prompting for confirmation.

--rounds=<value>
    Specifies the exact number of hashing rounds to perform for the stretching operation.

--min-delay=<value>
    Sets the minimum desired delay (in microseconds) for the stretching operation. pamstretch-gen will calculate rounds to meet or exceed this.

--max-delay=<value>
    Sets the maximum desired delay (in microseconds) for the stretching operation. pamstretch-gen will try to stay within this limit.

--hash=<value>
    Specifies the cryptographic hash algorithm to use, e.g., sha512, sha256, sha1.

--method=<value>
    Defines the stretching method to be used. Common values include pbkdf2 or pkcs5.

--salt=<value>
    Provides a specific salt value to incorporate into the stretching process. This is typically a randomly generated value for security.

<path-to-pam_stretch.conf>
    The required argument specifying the full path where the generated pam_stretch.conf file will be saved.

pamstretch-gen is a utility designed to generate configuration files for the pam_stretch PAM (Pluggable Authentication Modules) module. This module enhances system security by performing "password stretching" on user credentials during authentication. Password stretching involves iteratively applying a cryptographic hash function (like SHA-512) to a password, making brute-force attacks significantly more computationally intensive and thus impractical for attackers.

pamstretch-gen allows administrators to define parameters such as the number of hashing rounds, minimum and maximum desired delay for stretching operations, the specific hashing algorithm to use, and the stretching method. By creating a pam_stretch.conf file with these settings, pamstretch-gen helps configure the PAM environment to enforce robust password security without requiring changes to existing applications. It's a crucial tool for systems aiming to mitigate password guessing and dictionary attacks effectively.

pamstretch-gen only generates the configuration file; it does not perform the actual password stretching. The generated file must then be used by the pam_stretch PAM module to enforce the stretching policy. Misconfiguration, such as setting too few rounds or delays, can compromise security, while excessive values can lead to significantly slow authentication times. It's essential to understand the implications of the chosen parameters on both security and system performance.

Password stretching is a technique used in cryptography to increase the computational cost of verifying a password, thereby making brute-force attacks much harder and slower. Instead of directly hashing a password once, stretching involves applying a cryptographic hash function multiple times (thousands or millions of rounds) with a randomly generated "salt." This process ensures that even if an attacker obtains a database of stretched password hashes, they must expend significant computational resources for each guess, rendering large-scale cracking efforts impractical within a reasonable timeframe.

The concept of password stretching and key derivation functions (KDFs) emerged as a critical countermeasure against brute-force password cracking, especially as computational power increased. pam_stretch and its generator pamstretch-gen were developed to integrate this security enhancement directly into the PAM authentication infrastructure on Linux and Unix-like systems. This allows for a standardized way to increase the computational cost of password verification, making it harder for attackers to compromise user accounts through offline attacks on stolen password hashes. Its development reflects the ongoing need to adapt authentication mechanisms to evolving threat landscapes.

pam_stretch(8), pam(8), passwd(1)