[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Need to convert back from md5 encryption in password file

I know there is no conversion per say.  What I want to do is change from the md5 to hash format.  As I pointed out, I changed the entry in system-auth to drop the md5 parameter.  I also reset the password using the passwd program.  The entry in the /etc/passwd file appeared to be a correct length hashed password.  The problem is when I then tried to login, it failed.  If I re-added the md5 parameter then used passwd again to put in an md5 password, I could then login again.

What am I missing if I drop the md5 from the /etc/pam.d/system-auth file then use passwd to reset the password?  So far I am only dealing with the root account but after I get it working, I will copy other password entried from the system I am replacing.


-----Original Message-----
From: Doug Fajardo [mailto:dfajardo@symark.com]
Sent: Monday, May 06, 2002 6:02 PM
To: pam-list@redhat.com
Subject: RE: Need to convert back from md5 encryption in password file

I'm sorry to point this out, but...
The idea of using the 'hash' for protecting passwords
is that they cant be recovered... (all you can do is compare
another hashed password and see if they are the same).

sooo.... you cant 'convert' existing passwords from md5
hashing to 'crypt' hashing... at least not with any reasonable
amount of compute power. (If you CAN, we are all in big trouble :-).

The upshot is that the only way to complete the conversion is
to force a password change :-(

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Earle F. Ake
Sent: Monday, May 06, 2002 12:17 PM
To: PAM List
Subject: Need to convert back from md5 encryption in password file

	I have multiple sites using a shared password file.  Some can not use the
md5 encryption.  I want to eliminate the md5 encryption and use the old
RedHat standard hash encryption.  I was able to drop the shadow portion by
using pwunconv then editing the /etc/pam.d/system-auth file entry for
"password sufficient" and drop the "shadow" portion.

	I tried to also drop the "md5" portion on the same line and then use passwd
program to change it back to just a hashed password.  The passwd file entry
is changed but when I try to login, it fails.  The /var/log/messages and
/var/log/secure logs give me:

sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=localhost.localdomain  user=root

sshd[1496]: Failed password for ROOT from port 1035 ssh2

If I change back to md5 then reset the password, all is well.  Can I change
to not use the md5 encryption and if so, what are the steps I need to take?

Earle Ake
Manager, Internet Services

Pam-list mailing list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []