On Jul 11, 2012 3:06 AM, "Chris Sakalis" <chrissakalis@xxxxxxxxx> wrote: > On Wed, Jul 11, 2012 at 11:16 AM, Kevin Chadwick <ma1l1ists@xxxxxxxxxxx> wrote: > >> By the way, is it possible to upgrade password hashes without an > >> intermediate password, assuming the new/old passwords are identical? > > > > You can have no password at all to start with but the system doesn't > > know the password, only what you entered matches. You could attack the > > md5 but that would be a waste of energy and likely time. > > > > I do not think that this is what Nemo is asking. If you try to set > your password to the same one you already have, passwd fails with > "Password unchanged" and asks you again for a new password. So, if you > just want to update your hashes, you have to choose an intermediate > temporary password first and then change it again to the old one. >From root shell: # usermod -p '' myuser - repeat all users - update algo # passwd myuser - repeat all users ... hashing algorithms are, by design, one-way only. If you're desire is to update the algo in place -- without knowing the user passwords -- you're out of luck :-( However PAM, also by design, works in stacks, and thus offers a reasonable solution -- update the `auth` and `password` PAM keys to the new algo (so new passwords are read/written properly) then duplicate the `auth` key, restore the original algo, and change `required` -> `sufficient`). This would accept the old (higher in stack, sufficient) hash until that line was removed. Additionally, you'll want/need to sprinkle some `use/try_first_pass` in there to make it fluid (see man pages). Lastly, expire the users pass, thereby forcing an update/rewrite at next login. tl;dr ... passwords in shadow are prefixed with all the info needed to select the proper algo at runtime ... the above may not be needed at all, ie. there may be a more succinct method or not needed at all, but I'm unsure offhand. Sorry if terse/example-less/wrong-terminology/etc ... mobiles suck at times. -- C Anthony [mobile]
