Accept both MD5 and SHA512 hashes is /etc/shadow

id flag

I recently upgraded debian server with many users to a recent version. The old server used MD5 password hashes (the shadow passwords begin with $1$) and new one is configured to use SHA-512. I want to migrate users from one server to another.

Is there any way to allow both MD5 and SH512 hashes in /etc/shadow? Of course I need MD5 hashes just to allow old users to login until they change password and get SHA512 hash.

I'd prefer to keep using sha512, but would like the old users to be able to partially login once with their old password and then be forced to update their password. Right now, the old md5-based passwords in /etc/shadow won't let the user login at all (and just appear to be incorrect passwords).

Any help?

Drudge avatar
pl flag
I'm not totally sure but I think that multiple encryption variants are allowed by default and during authentication, the correct variant is chosen based on the hash. The hash is stored in the format $id$salt$hashed. If id equals 1, md5 is chosen and if id equals 6, sha512 is chosen for checking the password. The default encryption algorithm when using passwd is normally defined in /etc/pam.d/common-password. There is a line containing If there is an option called sha512, the password should be stored as a sha512 hash after running passwd, see
us flag

Changing the default doesn't affect the validity of existing hashes. So as long as the hash types are still supported, you can "mix and match" types and they should all be able to be used for authentication.

After the default hash type is changed, as users update their passwords, the passwords will be stored using the new hash type - providing exactly the migration path it sounds like you're looking for.

Paweł avatar
id flag
Thanks for your replay. Problem I have $1$(MD5) and $6(SHA512) hashes in /etc/shadow. New passwords are obviously created with SH512 hashes. However users with MD5 hashes cannot login (login incorrect)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.