[BlueOnyx:09928] Re: Importing users that have DES passwords

[Michael Stauber]

Hi Ernie,

> most linux defaults to DES, you have to edit /etc/login.defs variable
> ENCRYPT_METHOD to get it to use MD5 or SHA for the shadow password file.

EL5 uses MD5. EL6 uses SHA512 as a default.

No, editing /etc/login.defs will not make that much of a difference by itself. 
Ultimately it is PAM that has the final say about the password formats and 
which login method is sufficient.

Example from EL6:

password    sufficient    pam_unix.so nullok use_authtok md5 shadow
 
So although SHA512 is the default on EL6, for all relevant bits and pices we 
use the MD5 hashed passwords in /etc/shadow.

> Are you saying that if I set ENCRYPT_METHOD to DES before I import the
> users, that the scripts in the GUI won't be able to deal with it?

Let me put it this way: One way or another you can probably get EL6 to 
correctly authenticate users with their old DES passwords. Most likely by 
modifying the relevant PAM config files. You can have multiple "sufficient" 
lines in your PAM config, so having an alternate line with DES in it instead 
of MD5 might just work.

But when you create a new user in the GUI (or when an existing user uses the 
GUI to change his password), it will be stored in MD5 format. Because that's 
they way how the GUI will call the system tools to create users or how it sets 
or changes passwords. Likewise this is how CMU does it. It says: "Here, create 
user 'John Doe' with the following MD5 password."

It would require some experimenting to see if it could be done and what the 
long term effects would be.

-- 
With best regards

Michael Stauber