What encryption is used for the /etc/shadow when PAM generates or changes a password

Release : 4.1.x, 4.0.x, 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Ultimately the encryption on the password field in the /etc/shadow is determine by the OS.

Here is a guide to determine what the OS is using.  If it starts with

• $1$ - it is MD5
• $5$ - it is SHA-256
• $6$ - it is SHA-512

Nonetheless at the OS side you can verify this with the command: (example Redhat 7)

• authconfig --test | grep hashing

If it is not using the desired encryption you can and update it via the following command:

• authconfig --passalgo=sha512 --update

Nonetheless, PAM just executes the passwd command to rotate the passwd -> so the encryption to local files (/etc/passwd /etc/shadow) is controlled by the OS -> not PAM.