Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to import a bunch of users that are stored in a database to have system accounts for email.
The database hashes passwords with the md5() function, and according to authconfig, the shadow file is set for md5 as well, but when I look at a user in the DB that already matches a system account, the password fields look completely different:
Code:
5f4dcc3b5aa765d61d8327deb882cf99 (database with md5() function)
$1$d84L.BLI$eBOrWgfHw8L0e3U2gSPxj/ (same password from /etc/shadow)
NOTES
Glibc Notes
The glibc2 version of this function has the following additional features. If salt is a character string starting with the
three characters "$1$" followed by at most eight characters, and optionally terminated by "$", then instead of using the DES
machine, the glibc crypt function uses an MD5-based algorithm, and outputs up to 34 bytes, namely "$1$<salt>$<encoded>",
where "<salt>" stands for the up to 8 characters following "$1$" in the salt, and "<encoded>" is a further 22 characters.
The characters in "<salt>" and "<encoded>" are drawn from the set [a–zA–Z0–9./]. The entire key is significant here (instead
of only the first 8 bytes).
I've now gone and read crypt(3), shadow(5), and passwd(5), along with the pointer you've provided and am still unsure if it is even possible to convert, let alone how.
They are hashes so you can't convert from one to another. The shadow passwords used salt and the entries in the database don't. The $1$ indicates that md5sum was used. The $d84L.BLI$ indicates that the salt used was 'd84L.BLI'. The rest is the md5sum produced. The two systems use different output characters as well. I'm not sure what program produces the encoding for binary or hexadecimal to the '0-9a-zA-Z./' character set used. ( other than the lcrypt(3) library )
Looking at openssl for example, I could use something like:
openssl dgst -md5 -binary <(echo -n $password) | openssl enc -base64
But the base64 is the wrong encoding, and openssl dgst doesn't take a salt input.
What type of accounts do these users have presently? The passwords for accessing a database may be different from the passwords for accessing a normal account. If these are for samba or AD passwords, consider using one of those as the authentication source for the email server.
For Fedora Core at least, there are 3 books supplied with the samba rpm package that might help. Samba3-ByExample, Samba3-HOWTO, and UsingSamba. The first two are the same as you can find in the book store. The third is an earlier edition. The one in the book store may have more Samba3/Active Directory information. The chapters on PAM might be useful. Also, look in your RedHat documentation on how to change the authentication source. You may be able to do it from either the "users" configuration or "security".
If the database you have these passwords in is used for a Samba password backend, there probably is a way to use it as the authentication source, and you can probably do it from one of the system-config-* modules.
You would probably want to do this anyway for when users change their passwords.
---
If these passwords are from an ldap server, look at the pwdutils package.
---
I'm not positive from your last post, whether you have a list of passwords/encrypted passwords or if you just tested your own password against both password examples. I assumed the latter.
What I have is an integrated website I run for a gaming clan. Users have a profile page, forum account, and TeamSpeak account that all use the same password. Those are all stored as md5 hashes in mysql. This allows single sign-on between the forum/profiles, and allows central password management (reseting in profile updates TeamSpeak and forums automatically).
I've added email to the things I do for the clan, and was hoping to keep the email passwords matched as well. I guess at this point I can try getting qmail to authenticate users against the DB table instead of system accounts.
I already have hooks in the code to update system account passwords when they do it on their profile page, so I could stick with that and just tell the users they must update their profile password to get their email working. Problem is there are 360+ users...
Thanks again for the info and your patience.
--
The hashes I posted in my example are from testing, both = "password." All I have in hand is md5() hashes, if I knew all of the plaintext passwords I'd have a lot easier time, but then, where's my security =)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.