File default.passwd of Package pam-modules

# This file contains some information about the
# hash to use for new or modified passwords.
#
# !!! This file is only used by pam_unix2.so !!!
#
# This file is not used by any other module like
# pam_unix.so!

# Define default crypt hash.
# CRYPT={des,md5,sha256,sha512}
CRYPT=

# Use another crypt hash for group passwords.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a specific service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=sha512
#
# For NIS, we should prefer DES if we have other UNIX
# clients than Linux:
CRYPT_YP=des

# sometimes we need to specify special options for a hash (variable
# is prepended by the name of the crypt hash). In case of blowfish
# and sha* this is the number of rounds
# blowfish: 4-31
# BLOWFISH_CRYPT_FILES=5
# sha256/sha512: 1000-9999999
# SHA512_CRYPT_FILES=1000

# In June 2011 it was discovered that the Linux crypt_blowfish
# implementation contained a bug that made passwords with non-ASCII
# characters easier to crack (CVE-2011-2483). Affected passwords are
# also incompatible with the original, correct OpenBSD
# implementation. Therefore the $2a hash identifier previously used
# for blowfish now is ambiguous as it could mean the hash was
# generated with the correct implementation on OpenBSD or the buggy
# one on Linux. To avoid the ambiguity two new identifier were
# introduced. $2x now explicitly identifies hashes that were
# generated with the buggy algorithm while $2y is used for hashes
# generated with the correct algorithm. New passwords are now
# generated with the $2y identifier.
#
# Setting the following option to "yes" tells the sytem that $2a
# hashes are to be treated as generated with the buggy algorithm.
BLOWFISH_2A2X=