diff --git a/configuration/boot-environment.nix b/configuration/boot-environment.nix
index 4c4092bf3c97..6e14ef2e1934 100644
--- a/configuration/boot-environment.nix
+++ b/configuration/boot-environment.nix
@@ -234,7 +234,31 @@ rec {
         target = "event.d";
       }
 
-    ];
+      { # Configuration for passwd and friends (e.g., hash algorithm
+        # for /etc/passwd).
+        source = ./etc/default/passwd;
+        target = "default/passwd";
+      }
+
+    ]
+
+    # A bunch of PAM configuration files for various programs.
+    ++ (map
+      (program:
+        { source = pkgs.substituteAll {
+            src = ./etc/pam.d + ("/" + program);
+            inherit (pkgs) pam_unix2;
+          };
+          target = "pam.d/" + program;
+        }
+      )
+      [
+        "login"
+        "passwd"
+        "useradd"
+        "other"
+      ]
+    );
   };
 
   
diff --git a/configuration/etc/default/passwd b/configuration/etc/default/passwd
new file mode 100644
index 000000000000..5804e28c38bc
--- /dev/null
+++ b/configuration/etc/default/passwd
@@ -0,0 +1,15 @@
+# Define default crypt hash
+# CRYPT={des,md5,blowfish}
+CRYPT=des
+
+# for local files, use a more secure hash. We
+# don't need to be portable here:
+CRYPT_FILES=blowfish
+
+# sometimes we need to specify special options for
+# a hash (variable is prepended by the name of the
+# crypt hash).
+BLOWFISH_CRYPT_FILES=10
+
+# For NIS, we should always use DES:
+CRYPT_YP=des
diff --git a/configuration/etc/pam.d/login b/configuration/etc/pam.d/login
new file mode 100644
index 000000000000..29ec6d7b11a3
--- /dev/null
+++ b/configuration/etc/pam.d/login
@@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok use_first_pass use_authtok
+session  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/configuration/etc/pam.d/other b/configuration/etc/pam.d/other
new file mode 100644
index 000000000000..b1ed9205b72c
--- /dev/null
+++ b/configuration/etc/pam.d/other
@@ -0,0 +1,8 @@
+auth     required       pam_warn.so
+auth     required       pam_deny.so
+account  required       pam_warn.so
+account  required       pam_deny.so
+password required       pam_warn.so
+password required       pam_deny.so
+session  required       pam_warn.so
+session  required       pam_deny.so
diff --git a/configuration/etc/pam.d/passwd b/configuration/etc/pam.d/passwd
new file mode 100644
index 000000000000..423e0efb4964
--- /dev/null
+++ b/configuration/etc/pam.d/passwd
@@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok debug
+session  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/configuration/etc/pam.d/useradd b/configuration/etc/pam.d/useradd
new file mode 100644
index 000000000000..b4aac2aba958
--- /dev/null
+++ b/configuration/etc/pam.d/useradd
@@ -0,0 +1,5 @@
+auth     sufficient     pam_rootok.so
+auth     required       pam_permit.so
+account  required       pam_permit.so
+password required       pam_permit.so
+session  required       pam_permit.so