Hello Recoverym4n Thanks for your hint.----- Original Message ----- From: <recoverym4n@gmail.com>
To: <debian-user@lists.debian.org> Sent: Monday, May 27, 2013 7:40 PMSubject: Re: /etc/shadow password hash format (migration from SuSE 9.3 to Debian Wheezy)
Install 'libpam-unix2' package. Configure PAM as outlined in /usr/share/doc/libpam-unix2/README.Debian. It is that simple.
I tried that out on a lab system where I replaced pam_unix.so into pam_unix2.so inside both common-auth and common-password config files.
Result: The system nows recognizes all $2a$ (Blowfish) password hashes but does not longer accepts $6$ (SHA-512) password now.
In the meantime, I migrated several user accounts to $6$ (SHA-512) hashes using "passwd" to setting new passwords so there's a $6$/$2a$ mixture in /etc/shadow now.
So what I actually need is a way that $6$ hashes are ok for any created new user account as well as invoked "passwd" command (=setting passwords always as $6$) but the authentication must accept both $2a$ and $6$, i.e. must be able to deal with a mixed /etc/shadow database. So existing user still can login with their $2a$ Blowfish hash while all my new users use a $6$ SHA-512 hash. So I think a configuration rule to use pam_unix.so and pam_unix2.so simultaneously will help.
Andreas
--
Teste die PC-Sicherheit mit www.sec-check.net