crypt -> md5 password migration
I am upgrading some servers in my home network and would like to change
the format of the password files from crypt to md5.
I understand that one cannot covert crypt to md5 as that would require
cracking the crypt and re-hashing as md5. I don't have that long 8^)
I am wondering if /etc/shadow et. all will handle both formats and
encode into md5 the next time a user changes their password? For
example, I install a new server OS, set the hash for the passwords to
md5, can I then cut and paste the old crypt passwords into the new file
and have it work? Then send out a notice to my users to change their
passwords, thus changing them to md5?
Has anyone done something similar?
Re: crypt -> md5 password migration
On Sat, 10 Apr 2004 11:41:11 -0600, Marc Christensen wrote:
> Hi all,
> I am upgrading some servers in my home network and would like to change
> the format of the password files from crypt to md5.[/color]
Good idea. There is one caveat... if you run NIS some of the clients may
not understand MD5. For instance, Mac OS X does not understand MD5
> I understand that one cannot covert crypt to md5 as that would require
> cracking the crypt and re-hashing as md5. I don't have that long 8^)
> I am wondering if /etc/shadow et. all will handle both formats and
> encode into md5 the next time a user changes their password? For
> example, I install a new server OS, set the hash for the passwords to
> md5, can I then cut and paste the old crypt passwords into the new file
> and have it work? Then send out a notice to my users to change their
> passwords, thus changing them to md5?[/color]
Most of my experience is with Red Hat. Red Hat, when told to use MD5,
will create the password hash as MD5 next time it is changed. There should
not be any problem with a mix of MD5 and crypt hashes in /etc/shadow.
> Has anyone done something similar?[/color]
First convert the old system to un-shadowed passwords. In Red Hat there is
a utility called pwunconv for converting shadowed passwords to unshadowed.
Before you run pwunconv, run pwck and grpck to make sure your shadow and
gshadow files are consistent. THEN run pwunconv and grpunconv to convert
your /etc/shadow and /etc/gshadow files to older style /etc/passwd and
Do the same thing on the new server.
Copy over the /etc/passwd and /etc/group files from the old server to the
new as oldpasswd and oldgroup. Merge the two files by hand with an editor.
There are sometimes differences between these files even though you may be
suing the same distribution but a different version. Make sure that all
system accounts (id < 500) that are required for the new server are
consistent. Make sure all user accounts (id >= 500) are consistent. Same
thing with the group files. Make a backup copy of original files from both
Once you are happy with how the new /etc/passwd and /etc/shadow files
look... run pwck and grpck again... then pwconv and grpconv. Then you will
have new /etc/shadow and /etc/gshadow files on the server. The next time
the user changes their password it will be created as an MD5 password.
In Red Hat you can configure the system to use MD5 passwords with
authconfig or just edit /etc/sysconfig/authconfig.
The pwck, grpck, pwconv... etc files are part of the shadow-utils package
in Red Hat. Other distros may or may not be similar... adjust accordingly.