I recently upgraded an ubuntu server with many users to a recent version from a version from 2008. The server used to use md5 password hashes (e.g., the shadow passwords began with $1$) and now is configured to use sha512.
I'd prefer to keep using sha512, but would like the old users to be able to partially login once with their old password and then be forced to update their password (even if its the same password) generating a sha512. Right now, the old md5-based passwords in /etc/shadow won't let the user login at all (and just appear to be incorrect passwords).
This seems like plenty of people should have had to do this before; yet I can't see how to do it, looking in the common places like /etc/pam.d/common-password nad /etc/login.defs. Also users will be logging in via ssh; and I do not have everyone's contact info (email or otherwise); and some login fairly rarely.
Any help? (Googling doesn't seem to give any good solutions).
1 Answer
Theoretically it should work like this: Users should be able to login with their MD5 passwords, and whenever they change it they would get an SHA512 password.
Difficult to judge why people cannot login with their MD5 password. Authentication with the SHA512 passwords works? If you temporary change to MD5 and change a password of a test user, can you then login for him? Maybe you can post the /etc/pam.d/common-auth non-comment-lines for having a look. And of course logfiles could have some background-information.
For your wish of requiring people to change their password, you could set the last-change date to 0 in /etc/shadow. E.g. for the user foobar
sudo chage -d 0 foobar 1