3

I want to change my SHA512 shadow file to use bcrypt as shown in this question/answer: Enable blowfish-based hash support for crypt

The problem is that i run into a chicken and egg problem, because the existing shadow-file is SHA512 encrypted, which means sudo doesn't work anymore as soon as i edit 

/etc/pamd/common-password
Community
  • 1
Fabian Zeindl
  • 229
  • 3
  • 10

2 Answers2

5

You hashed password entries also have formatting information in them.

"$id$salt$encrypted", where "$id" is the hashing algorithm used (On GNU/Linux, "$1$" stands for MD5, "$2$" is Blowfish, "$5$" is SHA-256 and "$6$" is SHA-512, crypt(3) manpage, other Unix may have different values, like NetBSD).

If your users' passwords have a time-based expiry, they'll eventually have to update them and the new hash will be in the format you've chosen. The system can tell which format passwords hashes are in per user, so things will keep working as passwords are updated over time.

As it also says in the answer you reference:

Passwords that are updated after these modifications are made will be hased using blowfish, exising shadow passwords are not modified

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • But if i change the mechanism in the pam.d files, does it still "know how to do md5"? – Fabian Zeindl Apr 11 '12 at 10:51
  • @FabianZeindl Yes, it should. The PAM mechanism will define setting the password, but the algorithm used to check it is defined by the hash string. The PAM mechanism that handles verification should know all methods it might encounter. – Jeff Ferland Apr 11 '12 at 13:50
0

The nature of one-way password hashing makes it impossible (or nearly impossible) to reverse the hashes back into plaintext for the purpose of re-hashing them into blowfish or any other one-way hashing algorithm. However, it's my understanding that your existing md5/sha512/etc passwords will still work.

Kyle Smith
  • 9,563
  • 1
  • 30
  • 32