Ultimately the encryption on the password field in the /etc/shadow is determine by the OS.
Here is a guide to determine what the OS is using. If it starts with
- $1$ - it is MD5
- $5$ - it is SHA-256
- $6$ - it is SHA-512
Nonetheless at the OS side you can verify this with the command: (example Redhat 7)
- authconfig --test | grep hashing
If it is not using the desired encryption you can and update it via the following command:
- authconfig --passalgo=sha512 --update
Nonetheless, PAM just executes the passwd command to rotate the passwd -> so the encryption to local files (/etc/passwd /etc/shadow) is controlled by the OS -> not PAM.