Currently, you can change the password hashing algorithm used by crypt() with the passwd_format in /etc/login.conf
However, as far as I could find, you cannot change the number of 'rounds', the dynamic adjustment factor using in bcrypt, and sha256crypt, and sha512crypt. bcrypt uses a log number, the default is 4 (so 2^4 rounds). The minimum is currently 4, and the maximum 31 sha256 and sha512crypt default to 5000, with a minimum of 1000 and a maximum of 999999999 OpenBSD implements this in login.conf with 'localcipher' similar to our 'passwd_format', except it takes an optional 2nd parameter, the number of log2() rounds. Arch implements this in pam_unix with rounds= For compatibility, it might make most sense to use a separate variable rather than adding the optional parameter to the existing passwd_format, so older boxes do not choke on it. Thoughts? -- Allan Jude
signature.asc
Description: OpenPGP digital signature
