From owner-freebsd-questions Sat Jul 8 23:11:21 2000 Delivered-To: freebsd-questions@freebsd.org Received: from eagle.prod.itd.earthlink.net (eagle.prod.itd.earthlink.net [207.217.120.24]) by hub.freebsd.org (Postfix) with ESMTP id 7C7C837BFD8 for ; Sat, 8 Jul 2000 23:11:18 -0700 (PDT) (envelope-from cjc@pool0617.cvx20-bradley.dialup.earthlink.net) Received: from pool0617.cvx20-bradley.dialup.earthlink.net (pool0617.cvx20-bradley.dialup.earthlink.net [209.179.252.107]) by eagle.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA06348; Sat, 8 Jul 2000 23:11:15 -0700 (PDT) Received: (from cjc@localhost) by pool0617.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id XAA00358; Sat, 8 Jul 2000 23:09:38 -0700 (PDT) Date: Sat, 8 Jul 2000 22:55:19 -0700 From: "Crist J. Clark" To: Evren Yurtesen Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DES 2 MD5 Message-ID: <20000708225519.A185@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from yurtesen@ispro.net.tr on Sat, Jul 08, 2000 at 01:48:11PM +0300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jul 08, 2000 at 01:48:11PM +0300, Evren Yurtesen wrote: > I have been using DES on my system and I have approx 2000 users > with DES passwords. Is it possible to make the system create the > new passwords with MD5 only? unfortunately when I use DES then > the system recognises the MD5 passwords also but the other way > around is not working. (well didnt work when I tried last) > > How can I make simple programs like passwd and adduser to create > these passwords as MD5 even though I use DES? Or should I use > brute force to find out all passwords and then encrypt them > again???!?!? This comes up from time to time and there is presently no easy way to convert a user who has a DES password to MD5. With the descrypt libraries, passwd(1) defaults new passwords to DES and will keep a DES password DES and a MD5 stays MD5. The scrypt library only understands MD5. Hacking some kind of switch into passwd(1) so that it will (a) default new users one way or the other and (b) make all changed passwords move to one or the other via some switch (/etc/passwd.conf or an entry in login.conf) would be very useful. Even if the hack is not pretty, sending in patches with a change-request PR might get things moving. That said, here is a very ugly, but quick approach: (1) User successfully logs in with current DES password. (2) User uses your special 'newpasswd' wrapper. (3) The newpasswd wrapper puts a dummy entry in master.passwd that will trick passwd(1) into thinking the user has a MD5 password. (4) The wrapper starts passwd(1) and the user sets a new MD5 password. This could be scripted or in C. However, it needs root privs so all of the caveats about suid scripts and programs are implied. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message