Re: /etc/shadow password hash format (migration from SuSE 9.3 to Debian Wheezy)

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Tue, 28 May 2013, Andreas Meile wrote:
> I tried that out on a lab system where I replaced pam_unix.so into
> pam_unix2.so inside both common-auth and common-password config
> files.
> 
> Result: The system nows recognizes all $2a$ (Blowfish) password
> hashes but does not longer accepts $6$ (SHA-512) password now.

Use both at the same time to check credentials, and only pam_unix to change
credentials (to migrate to sha-512 over time).  But be very careful on how
you stack them, or you will create a nasty security hole.

I strongly suggest you do a very through reading of the PAM documentation
before you attempt this.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh