[arch-general] Upgrading password hashes

C Anthony Risinger anthony at xtfx.me
Thu Jul 12 00:21:14 EDT 2012 

On Jul 11, 2012 3:06 AM, "Chris Sakalis" <chrissakalis at gmail.com> wrote:
> On Wed, Jul 11, 2012 at 11:16 AM, Kevin Chadwick <ma1l1ists at yahoo.co.uk>
wrote:
> >> By the way, is it possible to upgrade password hashes without an
> >> intermediate password, assuming the new/old passwords are identical?
> >
> > You can have no password at all to start with but the system doesn't
> > know the password, only what you entered matches. You could attack the
> > md5 but that would be a waste of energy and likely time.
> >
>
> I do not think that this is what Nemo is asking. If you try to set
> your password to the same one you already have, passwd fails with
> "Password unchanged" and asks you again for a new password. So, if you
> just want to update your hashes, you have to choose an intermediate
> temporary password first and then change it again to the old one.

>From root shell:

# usermod -p '' myuser
- repeat all users
- update algo
# passwd myuser
- repeat all users

... hashing algorithms are, by design, one-way only.  If you're desire is
to update the algo in place -- without knowing the user passwords -- you're
out of luck :-(

However PAM, also by design, works in stacks, and thus offers a reasonable
solution -- update the `auth` and `password` PAM keys to the new algo (so
new passwords are read/written properly) then duplicate the `auth` key,
restore the original algo, and change `required` -> `sufficient`).  This
would accept the old (higher in stack, sufficient) hash until that line was
removed.

Additionally, you'll want/need to sprinkle some `use/try_first_pass` in
there to make it fluid (see man pages).

Lastly, expire the users pass, thereby forcing an update/rewrite at next
login.

tl;dr ... passwords in shadow are prefixed with all the info needed to
select the proper algo at runtime ... the above may not be needed at all,
ie. there may be a more succinct method or not needed at all, but I'm
unsure offhand.

Sorry if terse/example-less/wrong-terminology/etc ... mobiles suck at times.

-- 

C Anthony [mobile]

More information about the arch-general mailing list