Fixing /etc/shadow with md5 passwords to sha512 passwords

I recently upgraded an ubuntu server with many users to a recent version from a version from 2008. The server used to use md5 password hashes (e.g., the shadow passwords began with $1$) and now is configured to use sha512.

I'd prefer to keep using sha512, but would like the old users to be able to partially login once with their old password and then be forced to update their password (even if its the same password) generating a sha512. Right now, the old md5-based passwords in /etc/shadow won't let the user login at all (and just appear to be incorrect passwords).

This seems like plenty of people should have had to do this before; yet I can't see how to do it, looking in the common places like /etc/pam.d/common-password nad /etc/login.defs. Also users will be logging in via ssh; and I do not have everyone's contact info (email or otherwise); and some login fairly rarely.

Any help? (Googling doesn't seem to give any good solutions).

1 Answer

Theoretically it should work like this: Users should be able to login with their MD5 passwords, and whenever they change it they would get an SHA512 password.

Difficult to judge why people cannot login with their MD5 password. Authentication with the SHA512 passwords works? If you temporary change to MD5 and change a password of a test user, can you then login for him? Maybe you can post the /etc/pam.d/common-auth non-comment-lines for having a look. And of course logfiles could have some background-information.

For your wish of requiring people to change their password, you could set the last-change date to 0 in /etc/shadow. E.g. for the user foobar

sudo chage -d 0 foobar
1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like