Hi, After the 6.2 upgrade, the new /etc/login.defs has: ? ENCRYPT_METHOD SHA512 instead of MD5Is it safe to just apply the change? Will my current MD5 passwords in /etc/passwd still work and only new passwords will be SHA512? Or are they automatically "converted" (rehashed) to SHA512? Thx, JD
On 22.12.2011 12:30, John Doe wrote:> Hi, > > After the 6.2 upgrade, the new /etc/login.defs has: > ENCRYPT_METHOD SHA512 instead of MD5Is it safe to just apply the change? > Will my current MD5 passwords in /etc/passwd still work and only new passwords will be SHA512? > Or are they automatically "converted" (rehashed) to SHA512?i THINK and be pretty sure that it is safe because rehashing is NOT possible in any way and ENCRYPT says how crypting should be done, not that decrypting will only be done this way> are they automatically "converted" (rehashed) to SHA512?this is technically impossible on any system and in any context the definition of a hash is NOT INVERTABLE and you would need the plaintext-version to generate another hash type -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111222/3950d30d/attachment.sig>
From: Reindl Harald <h.reindl at thelounge.net>>> are they automatically "converted" (rehashed) to SHA512? > this is technically impossible on any system and in any context > the definition of a hash is NOT INVERTABLE and you would need > the plaintext-version to generate another hash typeBy rehashed I meant 2 layers of hashing... You sha512 the old md5 hash while keeping the knowledge that it was an md5 hash. So, when the user enters its passwd, it would be md5 hashed and then sha512 hashed and compared... JD
On Thu, Dec 22, 2011 at 03:30:06AM -0800, John Doe wrote:> Hi, > > After the 6.2 upgrade, the new /etc/login.defs has: > ? ENCRYPT_METHOD SHA512 instead of MD5Is it safe to just apply the change? > Will my current MD5 passwords in /etc/passwd still work and only new passwords will be SHA512? > Or are they automatically "converted" (rehashed) to SHA512?If you look at "man 3 crypt" you'll see the same function is used to generate all the different types of encryption; the difference is the "salt" value. When you try to login the system will see (based on your shadow entry) what the current password is encrypted with and will use the same salt to encrypt your typed-in password. In this way the password file can contain traditional DES, MD5 and SHA512 at the same time (for different users, obviously). So "root" could be SHA512, "fred" could be MD5 and "harry" could be DES, and they'll all work. login.defs merely defines how _new_ passwords are encrypted (when you run the passwd command). -- rgds Stephen