crypt -> md5 password migration
This is a discussion on crypt -> md5 password migration within the Linux Administration forums, part of the Linux Forums category; Hi all, I am upgrading some servers in my home network and would like to change the format of the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-10-2004
|
|||
|
|||
crypt -> md5 password migration
Hi all,
I am upgrading some servers in my home network and would like to change the format of the password files from crypt to md5. I understand that one cannot covert crypt to md5 as that would require cracking the crypt and re-hashing as md5. I don't have that long 8^) I am wondering if /etc/shadow et. all will handle both formats and encode into md5 the next time a user changes their password? For example, I install a new server OS, set the hash for the passwords to md5, can I then cut and paste the old crypt passwords into the new file and have it work? Then send out a notice to my users to change their passwords, thus changing them to md5? Has anyone done something similar? Thanks, -- Marc C. 
|
|
04-11-2004
|
|||
|
|||
|
Re: crypt -> md5 password migration
On Sat, 10 Apr 2004 11:41:11 -0600, Marc Christensen wrote:
> Hi all, > > I am upgrading some servers in my home network and would like to change > the format of the password files from crypt to md5. Good idea. There is one caveat... if you run NIS some of the clients may not understand MD5. For instance, Mac OS X does not understand MD5 password hashes. > I understand that one cannot covert crypt to md5 as that would require > cracking the crypt and re-hashing as md5. I don't have that long 8^) > > I am wondering if /etc/shadow et. all will handle both formats and > encode into md5 the next time a user changes their password? For > example, I install a new server OS, set the hash for the passwords to > md5, can I then cut and paste the old crypt passwords into the new file > and have it work? Then send out a notice to my users to change their > passwords, thus changing them to md5? Most of my experience is with Red Hat. Red Hat, when told to use MD5, will create the password hash as MD5 next time it is changed. There should not be any problem with a mix of MD5 and crypt hashes in /etc/shadow. > Has anyone done something similar? Yes. First convert the old system to un-shadowed passwords. In Red Hat there is a utility called pwunconv for converting shadowed passwords to unshadowed. Before you run pwunconv, run pwck and grpck to make sure your shadow and gshadow files are consistent. THEN run pwunconv and grpunconv to convert your /etc/shadow and /etc/gshadow files to older style /etc/passwd and /etc/group files. Do the same thing on the new server. Copy over the /etc/passwd and /etc/group files from the old server to the new as oldpasswd and oldgroup. Merge the two files by hand with an editor. There are sometimes differences between these files even though you may be suing the same distribution but a different version. Make sure that all system accounts (id < 500) that are required for the new server are consistent. Make sure all user accounts (id >= 500) are consistent. Same thing with the group files. Make a backup copy of original files from both systems. Once you are happy with how the new /etc/passwd and /etc/shadow files look... run pwck and grpck again... then pwconv and grpconv. Then you will have new /etc/shadow and /etc/gshadow files on the server. The next time the user changes their password it will be created as an MD5 password. In Red Hat you can configure the system to use MD5 passwords with authconfig or just edit /etc/sysconfig/authconfig. The pwck, grpck, pwconv... etc files are part of the shadow-utils package in Red Hat. Other distros may or may not be similar... adjust accordingly. -DU-...etc... > > Thanks,
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 07:17 PM.
