I was wondering if it’s possible to implement more secure KDF like bcrypt, scrypt, pbkdf2 and argon2id in PAM authentication.
Ideally I would like to have their hashes instead of SHA-512 ones directly in /etc/shadow, but we all know what Ulrich Drepper wrote about bcrypt 13 years ago. OpenSUSE and OpenBSD seems to use a patched glibc
, but other distro don’t like the idea to implement these patches.
https://access.redhat.com/articles/1519843