On Jul 11, 2012 3:06 AM, "Chris Sakalis" email@example.com wrote:
On Wed, Jul 11, 2012 at 11:16 AM, Kevin Chadwick firstname.lastname@example.org
By the way, is it possible to upgrade password hashes without an intermediate password, assuming the new/old passwords are identical?
You can have no password at all to start with but the system doesn't know the password, only what you entered matches. You could attack the md5 but that would be a waste of energy and likely time.
I do not think that this is what Nemo is asking. If you try to set your password to the same one you already have, passwd fails with "Password unchanged" and asks you again for a new password. So, if you just want to update your hashes, you have to choose an intermediate temporary password first and then change it again to the old one.
From root shell:
# usermod -p '' myuser - repeat all users - update algo # passwd myuser - repeat all users
... hashing algorithms are, by design, one-way only. If you're desire is to update the algo in place -- without knowing the user passwords -- you're out of luck :-(
However PAM, also by design, works in stacks, and thus offers a reasonable solution -- update the `auth` and `password` PAM keys to the new algo (so new passwords are read/written properly) then duplicate the `auth` key, restore the original algo, and change `required` -> `sufficient`). This would accept the old (higher in stack, sufficient) hash until that line was removed.
Additionally, you'll want/need to sprinkle some `use/try_first_pass` in there to make it fluid (see man pages).
Lastly, expire the users pass, thereby forcing an update/rewrite at next login.
tl;dr ... passwords in shadow are prefixed with all the info needed to select the proper algo at runtime ... the above may not be needed at all, ie. there may be a more succinct method or not needed at all, but I'm unsure offhand.
Sorry if terse/example-less/wrong-terminology/etc ... mobiles suck at times.