Hello,

I'm trying to import a bunch of users that are stored in a database to have system accounts for email.

The database hashes passwords with the md5() function, and according to authconfig, the shadow file is set for md5 as well, but when I look at a user in the DB that already matches a system account, the password fields look completely different:
Is there any way I can convert these?

Thanks!

From man (3) crypt:

I've now gone and read crypt(3), shadow(5), and passwd(5), along with the pointer you've provided and am still unsure if it is even possible to convert, let alone how.

Could you provide any more pointers?

They are hashes so you can't convert from one to another. The shadow passwords used salt and the entries in the database don't. The $1$ indicates that md5sum was used. The $d84L.BLI$ indicates that the salt used was 'd84L.BLI'. The rest is the md5sum produced. The two systems use different output characters as well. I'm not sure what program produces the encoding for binary or hexadecimal to the '0-9a-zA-Z./' character set used. ( other than the lcrypt(3) library )
Looking at openssl for example, I could use something like:
openssl dgst -md5 -binary <(echo -n $password) | openssl enc -base64
But the base64 is the wrong encoding, and openssl dgst doesn't take a salt input.

What type of accounts do these users have presently? The passwords for accessing a database may be different from the passwords for accessing a normal account. If these are for samba or AD passwords, consider using one of those as the authentication source for the email server.

For Fedora Core at least, there are 3 books supplied with the samba rpm package that might help. Samba3-ByExample, Samba3-HOWTO, and UsingSamba. The first two are the same as you can find in the book store. The third is an earlier edition. The one in the book store may have more Samba3/Active Directory information. The chapters on PAM might be useful. Also, look in your RedHat documentation on how to change the authentication source. You may be able to do it from either the "users" configuration or "security".

If the database you have these passwords in is used for a Samba password backend, there probably is a way to use it as the authentication source, and you can probably do it from one of the system-config-* modules.

You would probably want to do this anyway for when users change their passwords.

---

If these passwords are from an ldap server, look at the pwdutils package.

---

I'm not positive from your last post, whether you have a list of passwords/encrypted passwords or if you just tested your own password against both password examples. I assumed the latter.

Just so you know, the reason *nix passwords are salted is to prevent people from pre-computing the hashes and creating rainbow tables.

That makes sense, thanks for the clarification.

What I have is an integrated website I run for a gaming clan. Users have a profile page, forum account, and TeamSpeak account that all use the same password. Those are all stored as md5 hashes in mysql. This allows single sign-on between the forum/profiles, and allows central password management (reseting in profile updates TeamSpeak and forums automatically).

I've added email to the things I do for the clan, and was hoping to keep the email passwords matched as well. I guess at this point I can try getting qmail to authenticate users against the DB table instead of system accounts.

I already have hooks in the code to update system account passwords when they do it on their profile page, so I could stick with that and just tell the users they must update their profile password to get their email working. Problem is there are 360+ users...

Thanks again for the info and your patience.

--

The hashes I posted in my example are from testing, both = "password." All I have in hand is md5() hashes, if I knew all of the plaintext passwords I'd have a lot easier time, but then, where's my security =)