Re: Upgrading to Debian 8 and password issues

To: debian-glibc@lists.debian.org
Subject: Re: Upgrading to Debian 8 and password issues
From: Chuck Peters <cplists@axs.org>
Date: Fri, 11 Dec 2015 19:21:52 -0500
Message-id: <[🔎] CANrrrEW2tR4aNRkUstGqikkAWn_g7eQDkjC5ONRsK5WcRz7_KA@mail.gmail.com>
In-reply-to: <[🔎] 20151211222610.GH8645@aurel32.net>
References: <[🔎] CANrrrEWVceDXoyjhg3qjYmi+Yi0diRLoeeYkfeQBgna4by3ViQ@mail.gmail.com> <[🔎] 20151211222610.GH8645@aurel32.net>

On Fri, Dec 11, 2015 at 5:26 PM, Aurelien Jarno <aurelien@aurel32.net> wrote:
> On 2015-12-11 16:00, Chuck Peters wrote:
>> We have two types of password hashes in our LDAP DB, and the older
>> type isn't authenticating.  Is the older Unix DES based hash no longer
>> supported or has some default configuration changed?
>
> I can basically only talk from the libc point of view. The DES based
> encryption is disabled if you kernel is booted in FIPS mode (which is
> not the default for a Debian kernel). You can check that by looking at
> /proc/sys/crypto/fips_enabled. If this file exists and contains a 1,
> your system is in FIPS mode. If it contains another value or doesn't
> exist, your system is not in FIPS mode.

/proc/sys/crypto/fips_enabled is set to 0.

Most likely the issue isn't due to libc.

>> Less than 10% of users have the SSHA hash and the one I tested
>> authenticates correctly.
>>
>> Starting with a partial image of our old Debian 6 system, I upgraded
>> to Debian 7 and it appears the LDAP accounts are authenticating
>> correctly.  When I upgrade to Debian 8, I'm having an issue with the
>> old hashes, {crypt} appears to be a old Unix DES based hash.  I also
>> tested a few of the hashes with shadow passwords, and the DES hashes
>> are failing there as well.
>
> What doesn't work exactly? There might be more layers involved if you
> talk about being able to login on the system: login, pam, ldap. I don't
> know if anything has changed there. At least running /bin/su with a DES
> password in /etc/shadow seems to work here.

I tested ssh and su with a few LDAP accounts and the two accounts I
tested with the DES based hash do not authenticate.

I also tried converting the LDAP accounts to shadow passwords and a
few of the accounts failed the chpasswd -e because of various
characters that seemed out of place.  I also tried a few accounts with
shadow passwords and the authentication results varied from one
account to another.

This old system is a mess and some of the users passwords could be 20
years old.  Currently the system has 5 different methods for creating
or changing passwords, one uses perl, one uses php, one used poppassd
and two others use ldappasswd.  It's difficult to say what is causing
the issue.  At this point I think my best option is to work on
rehashing the passwords with Dovecot.
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes  That should
work for most of our users, and the rest will require a password
change.

Thanks,
Chuck

Reply to:

References:
- Upgrading to Debian 8 and password issues
  - From: Chuck Peters <cplists@axs.org>
- Re: Upgrading to Debian 8 and password issues
  - From: Aurelien Jarno <aurelien@aurel32.net>

Prev by Date: r6812 - in glibc-package/branches/glibc-2.22/debian: . patches patches/alpha
Next by Date: r6813 - in glibc-package/branches/glibc-2.22/debian: . patches patches/any
Previous by thread: Re: Upgrading to Debian 8 and password issues
Next by thread: r6811 - in glibc-package/branches/glibc-2.22/debian: . patches
Index(es):
- Date
- Thread