On Thu, Jul 12, 2012 at 7:21 AM, C Anthony Risinger firstname.lastname@example.org wrote:
However PAM, also by design, works in stacks, and thus offers a reasonable solution -- update the `auth` and `password` PAM keys to the new algo (so new passwords are read/written properly) then duplicate the `auth` key, restore the original algo, and change `required` -> `sufficient`). This would accept the old (higher in stack, sufficient) hash until that line was removed.
Are you sure the `auth` part is necessary? As far as I know, pam_unix accepts /all/ hash formats supported by system; the configured hash is only necessary for creating new hashes in `password`.