Due to NIH syndrome and Drepper being Drepper, the only remotely secure password hashing algorithm in RHEL5/6 is multi-rounds SHA512. The default is just salted SHA512 which sucks.
Also applies to CentOS, ScientificLinux, and other RHEL clones.
Anyway, to update the default setting, these files need updating:
/etc/login.defs: add new line
/etc/pam.d/system-auth-ac: find line with `
password sufficient pam_unix.so sha512` and append
Note that the change to last file may or may not be persistent. I have no idea how to properly set it up.
Finally, run this command:
If you’re using RHEL5, run
authconfig --passalgo=sha512 --update first.