CentOS - Jun 2008 - How to enable SHA1 passwords after migration from OpenSUSE?

Hi there!

I have recently migrated my old server from OpenSUSE 10.0 to CentOS 5.
Almost everything works great, except for one thing - user passwords.
In the old system they were in a form:

root:$2a$05$9V.P3/KV2fd0r/O8hs0gNueaidF35edj3DL6skb32qZJNpvwVHiUO:12183:0:99999:7:::

and that format doesn't seem to be understood by CentOS. When I change
the password I get something like:

root:$1$Z0HGYkIb$fbkW0gR6c.k7rENE1NlzE0:14055:0:99999:7:::

Note the encrypted password begins with $2a$... in OpenSUSE while in
CentOS it starts with $1$... CentOS passwords (MD5?) are understood by
OpenSUSE but OpenSUSE passwords (SHA1?) are not understood by CentOS.
Is there any way around that? Perhaps get some PAM module from
OpenSUSE? Or just some setting somewhere? Having to reset passwords
for all my users would be a royal pain.

Thanks!

PaPa

On Thu, Jun 26, 2008 at 2:05 PM, Papalagi Pakeha
<papalagi.pakeha at gmail.com> wrote:
> Hi there!
>
> I have recently migrated my old server from OpenSUSE 10.0 to CentOS 5.
> Almost everything works great, except for one thing - user passwords.
> In the old system they were in a form:
>
>
root:$2a$05$9V.P3/KV2fd0r/O8hs0gNueaidF35edj3DL6skb32qZJNpvwVHiUO:12183:0:99999:7:::
>
> and that format doesn't seem to be understood by CentOS. When I change
> the password I get something like:
>
> root:$1$Z0HGYkIb$fbkW0gR6c.k7rENE1NlzE0:14055:0:99999:7:::
>
> Note the encrypted password begins with $2a$... in OpenSUSE while in
> CentOS it starts with $1$... CentOS passwords (MD5?) are understood by
> OpenSUSE but OpenSUSE passwords (SHA1?) are not understood by CentOS.
> Is there any way around that? Perhaps get some PAM module from
> OpenSUSE? Or just some setting somewhere? Having to reset passwords
> for all my users would be a royal pain.
>
> Thanks!
>
> PaPa
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
First: '$2a' is not SHA1 its Blowfish.

I belive you need libxcrypt support, I'm not sure just google fast I
hope this will help you.

# OpenSUSE 10.2 box
$ ldd /lib/security/pam_unix2.so
       linux-gate.so.1 =>  (0xfbffe000)
       libpam.so.0 => /lib/libpam.so.0 (0xb7fd2000)
       libnsl.so.1 => /lib/libnsl.so.1 (0xb7fbb000)
       libdl.so.2 => /lib/libdl.so.2 (0xb7fb7000)
libxcrypt.so.1 => /lib/libxcrypt.so.1 (0xb7f81000) # <-----------
       libc.so.6 => /lib/libc.so.6 (0xb7e4e000)
       libaudit.so.0 => /lib/libaudit.so.0 (0xb7e3a000)
       /lib/ld-linux.so.2 (0x80000000)

http://wiki.linuxfromscratch.org/hints/browser/trunk/blowfish-passwords.txt
http://osdir.com/ml/linux.lfs.hardened/2007-01/msg00003.html

First, are you running 5.2 or a older version ? If it is a older
version, first upgrade to 5.2.

Then read
http://www.centos.org/docs/5/html/release-notes/as-amd64/RELEASE-NOTES-U2-x86_64-en.html#id2914967
and the section about SHA passwords.

Regards,
Tim

-- 
Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83

Hoping the problem magically goes away by ignoring it is the
"microsoft approach to programming" and should never be allowed.
(Linus Torvalds)