2

I am trying to migrate old Centos 4.3 box to Centos 7. I have followed the migration steps from an article published way long back on http://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/.

At the time of configuring postfix and dovecot I realized (nearly after two days) that migrated passwords are stored in shadow file has different (md5) encryption than one (sha512) being used in new system.

I have two question now 1) Is it correct method of migration? 2) Is there any way of converting password file from md5 to sha512

Or I need to do something else? Thank you.

Silkograph
  • 197
  • 2
  • 14

2 Answers2

4

You shouldn't need to convert the passwords, the system should be able to use the old hash system. It's a good idea though to encourage users to change their passwords so that it's stored in a newer, better format in the future.

Conversion from MD5 to SHA is not possible because the hashing is not reversible - the system works not by decrypting the password to check it but by hashing the user input and check if the result is the same.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • I am taking doubt on the encryption method because my old user name password is not working when I am testing postfix/dovecot configuration. But when I created new user and changed password of one migrated user then I am not getting any error in mailing config. – Silkograph Jul 25 '14 at 11:39
  • Can you login (on the console or via SSH) with the old password? Get this running before considering dependent services. – Sven Jul 25 '14 at 11:42
  • Yes, it is working. That means something is wrong in postfix/dovecot configuration (?). I have copied old md5 password to new shadow file to test this. I was getting error (maildir delivery failed: create maildir file /home/users/Maildir/tmp/1406195809.P13531.gw-host8.server.com: Permission denied) error if I try to login through mail client. But this problem disappeared after changing a password. Thanks. – Silkograph Jul 25 '14 at 11:59
  • 1
    Sorry to bother you. I don't know what happened, now everything is working fine. – Silkograph Jul 25 '14 at 12:12
  • This is kind of misleading. While in fact you would have to brute force the md5 hash to convert it to an sha hash, the machine does have access to the plaintext passwords every time a user logs in. Therefore, updating the hash functions when users log in would be technically possible (using pam?) and I'm currently looking for a way to do just that. – Gamification Jan 08 '20 at 15:33
3

You can enforce users to update their password at next login with:

chage -d 0 username1
chage -d 0 username2
...

so that they move to sha512 hash.

tonioc
  • 1,017
  • 8
  • 11