[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security trough paranoia

Quoting Matt Zimmerman <mdz@debian.org>:

> Is there any (currently implemented) way to switch from crypt to md5,
> supporting crypt passwords already in the database, but adding new
> passwords
> using md5?  This would allow administrators to make a smooth transition.

Use pam_unix and turn on the 'md5' option in the passwd section of your
pam config files. Services will still properly authenticate against
existing crypted passwords, but all new password hashes written to the
file upon password change will be md5. If you don't want to wait for users
to change their passwords before the hashes are changed, a little bit of
hacking inside pam_unix would allow the shadow file to be updated whenever
a user authenticates successfully. c.f. pam_krb5_migrate and pam_smbpass.

Steve Langasek
postmodern programmer

Reply to: