diff --git a/ChangeLog b/ChangeLog
index ddd49437..5649f04d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2007-11-24  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* configure.in: New configure option: --with-sha-crypt enabled by
+	default. Keeping the feature enabled is safe. Disabling it permits
+	to disable the references to the SHA256 and SHA512 password
+	encryption algorithms from the usage help and manuals (in addition
+	to the support for these algorithms in the code).
+	* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+	src/chpasswd.c, src/chgpasswd.c, src/passwd.c: ENCRYPT_METHOD is
+	always supported in login.defs. Remove the ENCRYPTMETHOD_SELECT
+	preprocessor condition.
+	* libmisc/obscure.c, libmisc/salt.c, src/newusers.c,
+	src/chpasswd.c, src/chgpasswd.c, src/passwd.c: Disable SHA256 and
+	SHA512 if USE_SHA_CRYPT is not defined (this corresponds to a
+	subset of the ENCRYPTMETHOD_SELECT sections).
+
 2007-11-24  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* lib/encrypt.c: If we requested a non DES encryption, make sure
diff --git a/configure.in b/configure.in
index a25560d1..4d905579 100644
--- a/configure.in
+++ b/configure.in
@@ -228,6 +228,14 @@ AC_ARG_WITH(skey,
 AC_ARG_WITH(libcrack,
 	[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=yes if found and if PAM not enabled@:>@])],
 	[with_libcrack=$withval], [with_libcrack=no])
+AC_ARG_WITH(sha-crypt,
+	[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+	[with_sha_crypt=$withval], [with_sha_crypt=yes])
+
+AM_CONDITIONAL(USE_SHA_CRYPT, test "x$with_sha_crypt" = "xyes")
+if test "$with_sha_crypt" = "yes"; then
+		AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+fi
 
 dnl Check for some functions in libc first, only if not found check for
 dnl other libraries.  This should prevent linking libnsl if not really
@@ -378,4 +386,5 @@ echo "	PAM support:			$with_libpam"
 echo "	SELinux support:		$with_selinux"
 echo "	shadow group support:		$enable_shadowgrp"
 echo "	S/Key support:			$with_skey"
+echo "	SHA passwords encryption:	$with_sha_crypt"
 echo
diff --git a/libmisc/obscure.c b/libmisc/obscure.c
index a87d7ee4..27f15a75 100644
--- a/libmisc/obscure.c
+++ b/libmisc/obscure.c
@@ -210,9 +210,7 @@ static const char *password_check (const char *old, const char *new,
 	int maxlen, oldlen, newlen;
 	char *new1, *old1;
 	const char *msg;
-#ifdef ENCRYPTMETHOD_SELECT
 	char *result;
-#endif
 
 	oldlen = strlen (old);
 	newlen = strlen (new);
@@ -230,9 +228,7 @@ static const char *password_check (const char *old, const char *new,
 	if (msg)
 		return msg;
 
-#ifdef ENCRYPTMETHOD_SELECT
 	if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
 	/* The traditional crypt() truncates passwords to 8 chars.  It is
 	   possible to circumvent the above checks by choosing an easy
 	   8-char password and adding some random characters to it...
@@ -242,16 +238,17 @@ static const char *password_check (const char *old, const char *new,
 		if (getdef_bool ("MD5_CRYPT_ENAB"))
 			return NULL;
 
-#ifdef ENCRYPTMETHOD_SELECT
 	} else {
 
-		if (!strcmp (result, "MD5") ||
-		    !strcmp (result, "SHA256") ||
-		    !strcmp (result, "SHA512"))
+		if (   !strcmp (result, "MD5")
+#ifdef USE_SHA_CRYPT
+		    || !strcmp (result, "SHA256")
+		    || !strcmp (result, "SHA512")
+#endif
+		    )
 			return NULL;
 
 	}
-#endif
 	maxlen = getdef_num ("PASS_MAX_LEN", 8);
 	if (oldlen <= maxlen && newlen <= maxlen)
 		return NULL;
diff --git a/libmisc/salt.c b/libmisc/salt.c
index 259f6096..2a9ecd2e 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -58,7 +58,7 @@ char *l64a(long value)
  */
 #define MAGNUM(array,ch)	(array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
 
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 /*
  * Return the salt size.
  * The size of the salt string is between 8 and 16 bytes for the SHA crypt
@@ -187,15 +187,13 @@ char *crypt_make_salt (char *meth, void *arg)
 	if (NULL != meth)
 		method = meth;
 	else {
-#ifdef ENCRYPTMETHOD_SELECT
 	if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL)
-#endif
 		method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
 	}
 
 	if (!strcmp (method, "MD5")) {
 		MAGNUM(result, '1');
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 	} else if (!strcmp (method, "SHA256")) {
 		MAGNUM(result, '5');
 		strcat(result, SHA_salt_rounds((int *)arg));
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 6a829df5..b96cb2a5 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -80,7 +80,7 @@ static void usage (void)
 			   "%s"
 			   "\n"),
 			 Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
 			 "NONE DES MD5", ""
 #else
 			 "NONE DES MD5 SHA256 SHA512",
@@ -127,7 +127,7 @@ int main (int argc, char **argv)
 			{"encrypted", no_argument, NULL, 'e'},
 			{"help", no_argument, NULL, 'h'},
 			{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			{"sha-rounds", required_argument, NULL, 's'},
 #endif
 			{NULL, 0, NULL, '\0'}
@@ -135,7 +135,7 @@ int main (int argc, char **argv)
 
 		while ((c =
 			getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			             "c:ehms:",
 #else
 			             "c:ehm",
@@ -156,7 +156,7 @@ int main (int argc, char **argv)
 			case 'm':
 				md5flg = 1;
 				break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			case 's':
 				sflg = 1;
 				if (!getlong(optarg, &sha_rounds)) {
@@ -195,7 +195,7 @@ int main (int argc, char **argv)
 		if (   0 != strcmp (crypt_method, "DES")
 		    && 0 != strcmp (crypt_method, "MD5")
 		    && 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 		    && 0 != strcmp (crypt_method, "SHA256")
 		    && 0 != strcmp (crypt_method, "SHA512")
 #endif
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 78d4919f..81e301d5 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -77,7 +77,7 @@ static void usage (void)
 			   "%s"
 			   "\n"),
 			 Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
 			 "NONE DES MD5", ""
 #else
 			 "NONE DES MD5 SHA256 SHA512",
@@ -123,7 +123,7 @@ int main (int argc, char **argv)
 			{"encrypted", no_argument, NULL, 'e'},
 			{"help", no_argument, NULL, 'h'},
 			{"md5", no_argument, NULL, 'm'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			{"sha-rounds", required_argument, NULL, 's'},
 #endif
 			{NULL, 0, NULL, '\0'}
@@ -131,7 +131,7 @@ int main (int argc, char **argv)
 
 		while ((c =
 			getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			             "c:ehms:",
 #else
 			             "c:ehm",
@@ -152,7 +152,7 @@ int main (int argc, char **argv)
 			case 'm':
 				md5flg = 1;
 				break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			case 's':
 				sflg = 1;
 				if (!getlong(optarg, &sha_rounds)) {
@@ -191,7 +191,7 @@ int main (int argc, char **argv)
 		if (   0 != strcmp (crypt_method, "DES")
 		    && 0 != strcmp (crypt_method, "MD5")
 		    && 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 		    && 0 != strcmp (crypt_method, "SHA256")
 		    && 0 != strcmp (crypt_method, "SHA512")
 #endif
diff --git a/src/newusers.c b/src/newusers.c
index df82bd0f..a625ea8a 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -84,7 +84,7 @@ static void usage (void)
 			   "%s"
 			   "\n"),
 			 Prog,
-#ifndef ENCRYPTMETHOD_SELECT
+#ifndef USE_SHA_CRYPT
 			 "NONE DES MD5", ""
 #else
 			 "NONE DES MD5 SHA256 SHA512",
@@ -344,7 +344,7 @@ int main (int argc, char **argv)
 		static struct option long_options[] = {
 			{"crypt-method", required_argument, NULL, 'c'},
 			{"help", no_argument, NULL, 'h'},
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			{"sha-rounds", required_argument, NULL, 's'},
 #endif
 			{NULL, 0, NULL, '\0'}
@@ -352,7 +352,7 @@ int main (int argc, char **argv)
 
 		while ((c =
 			getopt_long (argc, argv,
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			             "c:hs:",
 #else
 			             "c:h",
@@ -367,7 +367,7 @@ int main (int argc, char **argv)
 			case 'h':
 				usage ();
 				break;
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 			case 's':
 				sflg = 1;
 				if (!getlong(optarg, &sha_rounds)) {
@@ -399,7 +399,7 @@ int main (int argc, char **argv)
 		if (   0 != strcmp (crypt_method, "DES")
 		    && 0 != strcmp (crypt_method, "MD5")
 		    && 0 != strcmp (crypt_method, "NONE")
-#ifdef ENCRYPTMETHOD_SELECT
+#ifdef USE_SHA_CRYPT
 		    && 0 != strcmp (crypt_method, "SHA256")
 		    && 0 != strcmp (crypt_method, "SHA512")
 #endif
diff --git a/src/passwd.c b/src/passwd.c
index 282ffef1..d5479880 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -204,9 +204,7 @@ static int new_password (const struct passwd *pw)
 	int i;			/* Counter for retries */
 	int warned;
 	int pass_max_len = -1;
-#ifdef ENCRYPTMETHOD_SELECT
 	char *method;
-#endif
 
 #ifdef HAVE_LIBCRACK_HIST
 	int HistUpdate (const char *, const char *);
@@ -244,21 +242,20 @@ static int new_password (const struct passwd *pw)
 	 * for strength, unless it is the root user. This provides an escape
 	 * for initial login passwords.
 	 */
-#ifdef ENCRYPTMETHOD_SELECT
 	if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
-#endif
 		if (!getdef_bool ("MD5_CRYPT_ENAB"))
 			pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
-#ifdef ENCRYPTMETHOD_SELECT
 	} else {
-		if (!strcmp (method, "MD5") ||
-		    !strcmp (method, "SHA256") ||
-		    !strcmp (method, "SHA512"))
+		if (   !strcmp (method, "MD5")
+#ifdef USE_SHA_CRYPT
+		    || !strcmp (method, "SHA256")
+		    || !strcmp (method, "SHA512")
+#endif
+		    )
 			pass_max_len = -1;
 		else
 			pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
 	}
-#endif
 	if (!qflg) {
 		if (pass_max_len == -1) {
 			printf (_(