Password Migration

WeNdeL · 10-07-2004, 02:17 PM

I have an old mail-server running RH 7.2. I have built a new mail-server running RH 9. I need to migrate my user's accounts and passwords over to this new machine.

I am not certain what encryption mechanism my 7.2 server was using as my system-auth file found in /etc/pam.d/ dir looks like this:

# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow nis
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

The one from my 9 server looks like so:

# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

My assumption is that both machines are making use of md5 sums with respect to their shadow files. Unfortunately, when I compare two already exisiting users on both machines, their password hashs are not identical.

So...

My questions to you are:

1. What would be the best way to figure out what encryption mechanism my old server is using?
2. What would be the best way to migrate my user's passwords from one machine to the other?

Thanks...

apolinsky · 10-07-2004, 03:02 PM

I think you are looking at the wrong place. Pam is the mechanism that is used when logging into the system. (It stands for pluggable authenication modules.) The passwords stored in the /etc/shadow directory use a crypt utility to encrypt the password. The first two bytes of the password are called the 'salt'. These bytes are a random number used in the encryption phase. In Unix, or Linux, if two users enter the same password they are likely to appear different in the shadow file because of the 'salt'. I think under windows, at least until NT4, two passwords would always be encrypted the same. I think if you would copy the password and the shadow file, you will probably okay. Make sure you save the original files in case things get screwed up

amfoster · 10-08-2004, 07:04 AM

ya know, if ya copy the shadow line from one machine to another the same password is good.

In favt the useradd command has an option -p for that, although just copying the line is easier.

WeNdeL · 10-08-2004, 09:53 AM

ugh...

hob · 10-09-2004, 10:13 AM

Red Hat have been using MD5 as the default for a very long time (since RH 7, possibly).

At work we migrated between mail servers once by copying the /etc/passwd, /etc/shadow and /etc/group files from an old (Sun) machine to a newer (RH) system.

The main issue is that the listings for the built-in system accounts have to be correct for the new system or things may break. So I took copies of the files from the new machine and added the lines for the relevent user accounts from the files on the old machine. I actually used the Gnumeric spreadsheet software for this.

Provided that the three authentication files are consistent you can then copy them into place on the new system. Since this won't terminate existing logins it's a good idea to be logged in as root on a console before you start in case you make a mistake.

Once the files were replaced we used a script to create the home directories for the accounts on the new box, copied the mailboxes over and used another script to reset the permissions on the mailboxes.

amfoster · 10-09-2004, 07:18 PM

Moving this, moving that, Yep it is a pain, Now ya know why a lot of admin's like the user's home directories and /var/spool/mail mounted as either nfs, sfs or smb shares. With the mail, the user's always have their mail despite what machine they are working on.

hob · 10-10-2004, 04:32 AM

In our case, the problem was that we were migrating the central server that was holding the user mail for the whole network, as WeNdeL is doing.

On average I think that a server runs for about 4 or 5 years before you have to migrate the services to a new one for one reason or another. UNIX makes it easy and stress free - copy a few files, reset the permissions, restart the services. Migrating services between Windows systems is usually a horrible experience.