Hi,
As per
https://stackoverflow.com/questions/15733196/where-2x-prefix-are-used-in-bcrypt, there's no functional difference between $2a$ and $2y$.
However a minor problem arises when using something like "htpasswd -nB -C 12" to generate a hash: the output has $2y$ as the variant, but these hashes are not validated by Search Guard.
Modifying $2y$ to $2a$ in sg_internal_users.yml works fine, so the question is: would it be possible for Search Guard to accept $2y$ variant hashes? Modifying the hash after it's output can be problematic.
Thanks!
CK