From owner-freebsd-hackers Mon Oct 16 18:11:32 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from smtp02.primenet.com (smtp02.primenet.com [206.165.6.132]) by hub.freebsd.org (Postfix) with ESMTP id 66B6837B503 for ; Mon, 16 Oct 2000 18:11:30 -0700 (PDT) Received: (from daemon@localhost) by smtp02.primenet.com (8.9.3/8.9.3) id SAA00950; Mon, 16 Oct 2000 18:08:07 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp02.primenet.com, id smtpdAAAnEaGVb; Mon Oct 16 18:07:56 2000 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id SAA05324; Mon, 16 Oct 2000 18:11:14 -0700 (MST) From: Terry Lambert Message-Id: <200010170111.SAA05324@usr05.primenet.com> Subject: Re: Getting Linux NIS to work with FreeBSD NIS servers To: billf@chimesnet.com (Bill Fumerola) Date: Tue, 17 Oct 2000 01:11:14 +0000 (GMT) Cc: shocking@houston.rr.com (Stephen Hocking), hackers@FreeBSD.ORG In-Reply-To: <20001015232612.S37870@jade.chc-chimes.com> from "Bill Fumerola" at Oct 15, 2000 11:26:12 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > The Linux box appears toknow about the users, it just cant get > > the passwords right - something tickles my mind about DES vs > > MD5, is this the case, and how do I convert my MD5 passwords > > if needed? > > Yes thats the case, no there is no "conversion" program. If there was > a conversion program it would mean there is a way to translate to plaintext > and that obviously isn't the case (modulo brute-force). You can also implmenet an update proxy, using an appropriate PAM mechanism, if you force it to go through PAM; I did a similar thing to provide a migration path for an email system from one provider to a new provider. The way it works is that you communicate your password to the proxy before the cryptographic has (of whatever flavor) is applied. If the credentials don't yet exist, in the new database, you apply the legacy hash, and check the value in the legacy database. If this matches, then you know the password is valid in the legacy database. You then apply the new cryptographic hash to the plaintext, resulting in a new password. You store the new value in your new database, and you're done. Cyrus has both IMAP4 and POP3 proxies that are easily adapted to this sort of scheme; for example, for migrating credentials from a UNIX-style password file into an OpenLDAP 2.0 (LDAPv3) directory... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message