Re: Upgrading to Debian 8 and password issues
On 2015-12-11 16:00, Chuck Peters wrote:
> We have two types of password hashes in our LDAP DB, and the older
> type isn't authenticating. Is the older Unix DES based hash no longer
> supported or has some default configuration changed?
I can basically only talk from the libc point of view. The DES based
encryption is disabled if you kernel is booted in FIPS mode (which is
not the default for a Debian kernel). You can check that by looking at
/proc/sys/crypto/fips_enabled. If this file exists and contains a 1,
your system is in FIPS mode. If it contains another value or doesn't
exist, your system is not in FIPS mode.
> A base64 decoded ldif looks something like the following:
> userPassword:: {crypt}Aipcuzoh3eiVE
>
> Less than 10% of users have the SSHA hash and the one I tested
> authenticates correctly.
>
> Starting with a partial image of our old Debian 6 system, I upgraded
> to Debian 7 and it appears the LDAP accounts are authenticating
> correctly. When I upgrade to Debian 8, I'm having an issue with the
> old hashes, {crypt} appears to be a old Unix DES based hash. I also
> tested a few of the hashes with shadow passwords, and the DES hashes
> are failing there as well.
What doesn't work exactly? There might be more layers involved if you
talk about being able to login on the system: login, pam, ldap. I don't
know if anything has changed there. At least running /bin/su with a DES
password in /etc/shadow seems to work here.
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Reply to: