ACC SHELL

# This file contains some information for
# the passwd (1) command and other tools
# creating or modifying passwords.

# Define default crypt hash. This hash will be
# used, if there is no hash for a special service
# the user is stored in.
# CRYPT={des,md5,blowfish,sha256,sha512}
CRYPT=md5

# Use another crypt hash for group passwords.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=10

# For NIS, we should always use DES:
CRYPT_YP=des
 
# In June 2011 it was discovered that the Linux crypt_blowfish
# implementation contained a bug that made passwords with non-ASCII
# characters easier to crack (CVE-2011-2483). Affected passwords are
# also incompatible with the original, correct OpenBSD
# implementation. Therefore the $2a hash identifier previously used
# for blowfish now is ambiguous as it could mean the hash was
# generated with the correct implementation on OpenBSD or the buggy
# one on Linux. To avoid the ambiguity two new identifier were
# introduced. $2x now explicitly identifies hashes that were
# generated with the buggy algorithm while $2y is used for hashes
# generated with the correct algorithm. New passwords are now
# generated with the $2y identifier.
#
# Setting the following option to "yes" tells the sytem that $2a
# hashes are to be treated as generated with the buggy algorithm.
BLOWFISH_2a2x=yes