Accept both MD5 and SHA512 hashes is /etc/shadow

Paweł

3/18/23, 7:30 PM

I recently upgraded debian server with many users to a recent version. The old server used MD5 password hashes (the shadow passwords begin with $1$) and new one is configured to use SHA-512. I want to migrate users from one server to another.

Is there any way to allow both MD5 and SH512 hashes in /etc/shadow? Of course I need MD5 hashes just to allow old users to login until they change password and get SHA512 hash.

I'd prefer to keep using sha512, but would like the old users to be able to partially login once with their old password and then be forced to update their password. Right now, the old md5-based passwords in /etc/shadow won't let the user login at all (and just appear to be incorrect passwords).

Any help?

0 + 0

linux

password

migration

Drudge

3/18/23, 9:43 PM

I'm not totally sure but I think that multiple encryption variants are allowed by default and during authentication, the correct variant is chosen based on the hash. The hash is stored in the format $id$salt$hashed. If id equals 1, md5 is chosen and if id equals 6, sha512 is chosen for checking the password. The default encryption algorithm when using passwd is normally defined in /etc/pam.d/common-password. There is a line containing pam_unix.so. If there is an option called sha512, the password should be stored as a sha512 hash after running passwd, see linux.die.net/man8/pam_unix

Score:0

Server

Royce Williams

3/18/23, 10:11 PM

Changing the default doesn't affect the validity of existing hashes. So as long as the hash types are still supported, you can "mix and match" types and they should all be able to be used for authentication.

After the default hash type is changed, as users update their passwords, the passwords will be stored using the new hash type - providing exactly the migration path it sounds like you're looking for.

0 + 0

Paweł

3/19/23, 9:15 AM

Thanks for your replay. Problem I have $1$(MD5) and $6(SHA512) hashes in /etc/shadow. New passwords are obviously created with SH512 hashes. However users with MD5 hashes cannot login (login incorrect)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Accept both MD5 and SHA512 hashes is /etc/shadow

TH: ยอมรับแฮชทั้ง MD5 และ SHA512 คือ /etc/shadow

RO: Acceptați ambele hashuri MD5 și SHA512 este /etc/shadow

RU: Принимать как хэши MD5, так и SHA512 — /etc/shadow

VI: Chấp nhận cả hàm băm MD5 và SHA512 là /etc/shadow

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.