pam_unix: Add crypt_default method, if supported.

libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations.  As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.

* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
* modules/pam_unix/passverify.c: Add crypt_default method.
* modules/pam_unix/support.h: Likewise.

1 files changed, 20 insertions, 0 deletions

diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index cae2aeaa..82e0c9af 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -363,6 +363,23 @@
       </varlistentry>
       <varlistentry>
         <term>
+          <option>crypt_default</option>
+        </term>
+        <listitem>
+          <para>
+            When a user changes their password next,
+            encrypt it with the default algorithm and the default
+            amount of rounds provided by the system configuration
+            of libcrypt. If this default algorithm is not known to
+            the <citerefentry>
+	    <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry> function,
+            fall back to MD5.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
           <option>rounds=<replaceable>n</replaceable></option>
         </term>
         <listitem>
@@ -371,6 +388,9 @@
             blowfish, gost-yescrypt, and yescrypt password hashing
             algorithms to
             <replaceable>n</replaceable>.
+            This option will be ignored when the crypt_default option
+            is used, as the default algorithm always uses the value
+            from the system configuration of libcrypt.
           </para>
         </listitem>
       </varlistentry>