crypt -> md5 password migration - Linux

This is a discussion on crypt -> md5 password migration - Linux ; Hi all, I am upgrading some servers in my home network and would like to change the format of the password files from crypt to md5. I understand that one cannot covert crypt to md5 as that would require cracking ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: crypt -> md5 password migration

  1. crypt -> md5 password migration

    Hi all,

    I am upgrading some servers in my home network and would like to change
    the format of the password files from crypt to md5.

    I understand that one cannot covert crypt to md5 as that would require
    cracking the crypt and re-hashing as md5. I don't have that long 8^)

    I am wondering if /etc/shadow et. all will handle both formats and
    encode into md5 the next time a user changes their password? For
    example, I install a new server OS, set the hash for the passwords to
    md5, can I then cut and paste the old crypt passwords into the new file
    and have it work? Then send out a notice to my users to change their
    passwords, thus changing them to md5?

    Has anyone done something similar?

    Thanks,

    --
    Marc C.

  2. Re: crypt -> md5 password migration

    On Sat, 10 Apr 2004 11:41:11 -0600, Marc Christensen wrote:

    > Hi all,
    >
    > I am upgrading some servers in my home network and would like to change
    > the format of the password files from crypt to md5.


    Good idea. There is one caveat... if you run NIS some of the clients may
    not understand MD5. For instance, Mac OS X does not understand MD5
    password hashes.

    > I understand that one cannot covert crypt to md5 as that would require
    > cracking the crypt and re-hashing as md5. I don't have that long 8^)
    >
    > I am wondering if /etc/shadow et. all will handle both formats and
    > encode into md5 the next time a user changes their password? For
    > example, I install a new server OS, set the hash for the passwords to
    > md5, can I then cut and paste the old crypt passwords into the new file
    > and have it work? Then send out a notice to my users to change their
    > passwords, thus changing them to md5?


    Most of my experience is with Red Hat. Red Hat, when told to use MD5,
    will create the password hash as MD5 next time it is changed. There should
    not be any problem with a mix of MD5 and crypt hashes in /etc/shadow.

    > Has anyone done something similar?


    Yes.

    First convert the old system to un-shadowed passwords. In Red Hat there is
    a utility called pwunconv for converting shadowed passwords to unshadowed.
    Before you run pwunconv, run pwck and grpck to make sure your shadow and
    gshadow files are consistent. THEN run pwunconv and grpunconv to convert
    your /etc/shadow and /etc/gshadow files to older style /etc/passwd and
    /etc/group files.

    Do the same thing on the new server.

    Copy over the /etc/passwd and /etc/group files from the old server to the
    new as oldpasswd and oldgroup. Merge the two files by hand with an editor.
    There are sometimes differences between these files even though you may be
    suing the same distribution but a different version. Make sure that all
    system accounts (id < 500) that are required for the new server are
    consistent. Make sure all user accounts (id >= 500) are consistent. Same
    thing with the group files. Make a backup copy of original files from both
    systems.

    Once you are happy with how the new /etc/passwd and /etc/shadow files
    look... run pwck and grpck again... then pwconv and grpconv. Then you will
    have new /etc/shadow and /etc/gshadow files on the server. The next time
    the user changes their password it will be created as an MD5 password.

    In Red Hat you can configure the system to use MD5 passwords with
    authconfig or just edit /etc/sysconfig/authconfig.

    The pwck, grpck, pwconv... etc files are part of the shadow-utils package
    in Red Hat. Other distros may or may not be similar... adjust accordingly.

    -DU-...etc...

    >
    > Thanks,



+ Reply to Thread