Quote:
Originally Posted by paul.lkw
Hi All;
My bose ask me to convert a CentOS system password like "LMPQSMTE0nHlQ" to postfix MySQL MD5 Hased password, I find CentOS seems has 2 kinds of password form, one is shorter and the other is very long like "$1$C2MSk16n$WT5JWnzYH7XpCCjsiE2bd1", however I find postfix is exactly the later long one, so does any one know how to convert the short form to the later one ?
|
They are not encrypted passwords, they are
hashes (Wikipedia) from the actual passwords. It is not possible to just convert one to the other.
The form "$1$
salt$
hash" is, like you wrote, a pretty standard form for an MD5-based password hash. However, the format of the "plaintext" -- the actual string of bytes the hash function operates on -- varies, as does the number of times the hash function is applied. As there are various methods MD5 can be used in Postfix and MySQL, I cannot say if the two forms are the same or not. You can find out by transferring a test account password that way. If the same password works for both login and Postfix, you're good.
The short form is the traditional Unix
crypt (Wikipedia) format, which is
not secure (I'd say they're about as hard to break as a wet paper towel), as it can be cracked by current processors in a very short time with well-known tools. Even the Wikipedia page links to the
Crypt Breaker's Workbench, although all Linux distros have multiple packages that can be used for this.
If your users log in to the server, please use password migration to require them to change their password the next time they log in. (You already seem to have the default password encryption settings -- usually in the line containing
pam_unix.so in passwd file (or some other file include'd by that file) in your PAM config -- as MD5; you might look for string
pam_unix.so use_authtok md5, if I remember RHEL defaults correctly.)
If you absolutely have to forcibly migrate the passwords, first take a backup copy of /etc/passwd, /etc/group, /etc/shadow, and /etc/gshadow -- the latter two require root rights to read, so put the backup copies in a root-only directory; consider all these files sensitive (although the two first files are readable by any user with login rights). Then, please use
pwconv to migrate all passwords to the shadow files (/etc/shadow instead of /etc/passwd, and /etc/gshadow instead of /etc/group). Finally, write a script that "cracks" the passwords, but instead of showing them, pipes the
username:
password pairs to
chpasswd -S which uses the default settings for new passwords to output the correct hashed password lines to standard output. If you drop the -S, and
chpasswd is run with root rights, it'll change the local password.
User credentials is, after all, the most sensitive information on the system. (If they are compromised, all data available to those credentials is compromised; and there might be a local exploit in the wild which allows a local user to escalate to full root access rights -- and then all data on that machine is compromised.)
I recommend the practice of keeping those credentials secure at all times, even from yourself. You do not, after all, need to see them. So why take any risk?