> By the way, is it possible to upgrade password hashes without an
> intermediate password, assuming the new/old passwords are identical?
You can have no password at all to start with but the system doesn't
know the password, only what you entered matches. You could attack the
md5 but that would be a waste of energy and likely time.
Why not do something good every day and install BOINC.
__________________________________________________ ______
07-12-2012, 04:21 AM
C Anthony Risinger
Upgrading password hashes
On Jul 11, 2012 3:06 AM, "Chris Sakalis" <chrissakalis@gmail.com> wrote:
> On Wed, Jul 11, 2012 at 11:16 AM, Kevin Chadwick <ma1l1ists@yahoo.co.uk>
wrote:
> >> By the way, is it possible to upgrade password hashes without an
> >> intermediate password, assuming the new/old passwords are identical?
> >
> > You can have no password at all to start with but the system doesn't
> > know the password, only what you entered matches. You could attack the
> > md5 but that would be a waste of energy and likely time.
> >
>
> I do not think that this is what Nemo is asking. If you try to set
> your password to the same one you already have, passwd fails with
> "Password unchanged" and asks you again for a new password. So, if you
> just want to update your hashes, you have to choose an intermediate
> temporary password first and then change it again to the old one.
From root shell:
# usermod -p ' myuser
- repeat all users
- update algo
# passwd myuser
- repeat all users
... hashing algorithms are, by design, one-way only. If you're desire is
to update the algo in place -- without knowing the user passwords -- you're
out of luck :-(
However PAM, also by design, works in stacks, and thus offers a reasonable
solution -- update the `auth` and `password` PAM keys to the new algo (so
new passwords are read/written properly) then duplicate the `auth` key,
restore the original algo, and change `required` -> `sufficient`). This
would accept the old (higher in stack, sufficient) hash until that line was
removed.
Additionally, you'll want/need to sprinkle some `use/try_first_pass` in
there to make it fluid (see man pages).
Lastly, expire the users pass, thereby forcing an update/rewrite at next
login.
tl;dr ... passwords in shadow are prefixed with all the info needed to
select the proper algo at runtime ... the above may not be needed at all,
ie. there may be a more succinct method or not needed at all, but I'm
unsure offhand.
Sorry if terse/example-less/wrong-terminology/etc ... mobiles suck at times.
--
C Anthony [mobile]
07-12-2012, 08:43 AM
Kevin Chadwick
Upgrading password hashes
> I do not think that this is what Nemo is asking. If you try to set
> your password to the same one you already have, passwd fails with
> "Password unchanged" and asks you again for a new password. So, if you
> just want to update your hashes, you have to choose an intermediate
> temporary password first and then change it again to the old one.
Why not do something good every day and install BOINC.
__________________________________________________ ______
07-12-2012, 09:02 AM
Chris Sakalis
Upgrading password hashes
On Thu, Jul 12, 2012 at 11:43 AM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
>
> Does passwd -d work.
>
It does. But is is still two steps. This isn't really a problem
though, just out of curiosity.
--Chris Sakalis
07-12-2012, 10:35 AM
Kevin Chadwick
Upgrading password hashes
> It does. But is is still two steps. This isn't really a problem
> though, just out of curiosity.
Fair enough.
I don't understand the reason to want to do this, am I missing
something aside from why should the system stop you when it could just
warn you (similar to requirements for root).
When upgrading to a stronger hash I have never tested if it stops you
from using the same password when the hashes are different because it
matches both but I expect, that would be how it works. Is that the
issue? In that usually you would expect a password change at upgrade
time but on a new install that may not be a consideration.
Why not do something good every day and install BOINC.
__________________________________________________ ______
07-12-2012, 10:52 AM
Chris Sakalis
Upgrading password hashes
On Thu, Jul 12, 2012 at 1:35 PM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
>
> When upgrading to a stronger hash I have never tested if it stops you
> from using the same password when the hashes are different because it
> matches both but I expect, that would be how it works. Is that the
> issue? In that usually you would expect a password change at upgrade
> time but on a new install that may not be a consideration.
>
Exactly. I assume the reason passwd does not allow you to set the same
password, is because sometimes you have to change your password, for
example on systems that have an expiration date for passwords.
Choosing the same password would beat the purpose. Again, this isn't
really a problem, so let's not continue this conversation on the
mailing list, spamming everyone's inboxes.
Regards,
Chris Sakalis
07-12-2012, 01:02 PM
Mantas MikulÄ—nas
Upgrading password hashes
On Thu, Jul 12, 2012 at 7:21 AM, C Anthony Risinger <anthony@xtfx.me> wrote:
> However PAM, also by design, works in stacks, and thus offers a reasonable
> solution -- update the `auth` and `password` PAM keys to the new algo (so
> new passwords are read/written properly) then duplicate the `auth` key,
> restore the original algo, and change `required` -> `sufficient`). This
> would accept the old (higher in stack, sufficient) hash until that line was
> removed.
Are you sure the `auth` part is necessary? As far as I know, pam_unix
accepts /all/ hash formats supported by system; the configured hash is
only necessary for creating new hashes in `password`.
Upgrading password hashes
