Re: Security trough paranoia

To: debian-devel@lists.debian.org
Subject: Re: Security trough paranoia
From: Steve Langasek <vorlon@netexpress.net>
Date: Sun, 1 Apr 2001 01:54:00 -0600
Message-id: <[🔎] 986111640.3ac6de981c503@www.secureserver.com>
In-reply-to: <20010401005324.C28925@alcor.net>
References: <20010330163354.A10286@bmrb.wisc.edu> <Pine.LNX.4.30.0103301643560.5180-100000@tennyson.netexpress.net> <20010330182728.A10695@bmrb.wisc.edu> <yttelvewxjr.fsf@gilgamesh.cse.ucsc.edu> <20010331163420.B994@korn.ch> <20010401005324.C28925@alcor.net>

Quoting Matt Zimmerman <mdz@debian.org>:

> Is there any (currently implemented) way to switch from crypt to md5,
> supporting crypt passwords already in the database, but adding new
> passwords
> using md5?  This would allow administrators to make a smooth transition.

Use pam_unix and turn on the 'md5' option in the passwd section of your
pam config files. Services will still properly authenticate against
existing crypted passwords, but all new password hashes written to the
file upon password change will be md5. If you don't want to wait for users
to change their passwords before the hashes are changed, a little bit of
hacking inside pam_unix would allow the shadow file to be updated whenever
a user authenticates successfully. c.f. pam_krb5_migrate and pam_smbpass.

Steve Langasek
postmodern programmer

Reply to:

Follow-Ups:
- Re: Security trough paranoia
  - From: Brian May <bam@debian.org>
- Re: Security trough paranoia
  - From: andrea@debian.org
- Re: Security trough paranoia
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: Re: Security trough paranoia
Next by Date: Re: Security through paranoia 2, with proposal...
Previous by thread: Re: md5 default (was Re: Security trough paranoia)
Next by thread: Re: Security trough paranoia
Index(es):
- Date
- Thread