change password encryption scheme

fluca1978

fluca1978

Suppose I want to change the password format for a machine that has already accounts.
I change the login class (suppose the default one) as follows:
Code: 
default:\
 :passwd_format=blf:\
then run cap_mkdb(1). Does it this suffice or am I supposed to run also pwd_mkdb(1)? Because running only cap_mkdb(1) does not change the /etc/pwd.db files.
Or am I doing a totally wrong procedure?
 
New passwords will use the new scheme, the old passwords however will not change until the user changes their password.

If you think about it, it's not possible to change the hashing algorithm on existing passwords, you don't know what the password is so you cannot re-hash it with a new scheme.
 
pwd_mkdb(8) does not "re-encrypt" passwords. In fact, I think that's pretty much impossible. The passwords have to be changed manually for the new format to take effect.
 
SirDice said:
If you think about it, it's not possible to change the hashing algorithm on existing passwords, you don't know what the password is so you cannot re-hash it with a new scheme.
Click to expand...

Thanks, I was realizing it by myself...
However, having changed the pwd_format, how can the old hash be checked when an user logs in?
 
fluca1978 said:
having changed the pwd_format, how can the old hash be checked when an user logs in?
Click to expand...
The password hash has a prefix telling which encryption scheme was used. For example, MD5 hashes start with $1$, $2a$ means Blowfish etc. It's all documented in the man page: see crypt(3).
 
If I remember correctly the first few bytes of the hashed password indicate the hashing scheme that was used. The passwd_format 'variable' only comes into play when setting the password, not when checking it.
 
You must log in or register to reply here.
Back
Top