On Thu, 6 Sep 2001, Federico Sevilla III wrote:
> On Thu, 6 Sep 2001 at 10:17, Ian C. Sison wrote:
> > if 1st three letters is $1$, it's a crypt MD5 password. The 'hash' is
> > from the start of the string to the third '$'. So pass this entire
> > string to crypt as the hash. if not, it's a crypt DES password, pass
> > only the first two letters.
>
> Hmm ... I wonder then if {crypt}blahblah where blahblah is everything
> after the second $ will work. Hmm ... I'll try.
I'm not exactly sure what {crypt} or {MD5} mean in LDAP, but i know that
plain and simple MD5 is not compatible with what appears in /etc/shadow.
I learned that the hard way, when i noticed that the MySQL MD5 function
does not emit the same encrypted passwords as the one in /etc/shadow.
>
> Another solution of course will be to re-do all the passwords with some
> random generator (also re-secures the passwords of the users) using {SSHA}
> with slappasswd(8C).
Aha! That's a tech support nightmare! Ok lang maybe on your part, but if
you have 10K - 50K users, you will definitely want to migrate it!
> I noticed that LDAP will modify the password (ie: even if you view your
> encrypted password as root or the owning user, it's not using {crypt} or
> {MD5} or anything that I think I can then export if say, I want to move
> back to standard /etc/{passwd,shadow}). Orly, would you know what "format"
> is used?
Ay that is _very_ bad. Somthing similar to the MySQL PASSWORD() function,
which is totally incompatible with crypt or crypt-MD5. Methinks that's
broken behaviour, and introduces a lot of pain when migrating from an
existing userbase. It's bad enough that the encrypted passwords can't be
revesed to plain text! Solution is to roll your own pam module. I can
give you the code that checks for the password \8)
> I'll try {crypt}blahblah trimming out the first three characters and see
> if that works. BTW, does your MySQL auth PAM module allow passwd to change
> passwords? AFAIK pam_ldap does.
Nope. That pam function is unimplemented; but why bother? It's SQL
enabled anyway, so i just made a perl module that both a webpage front end
and perl script can call. Nice thing about this is that since everything
is a DBI call away, no more messy suid scripts in the webpage, and no more
unique UIDs per user!
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
