Web lists-archives.com

Re: password hash in shadow file




tomas@xxxxxxxxxx wrote:
> On Tue, Mar 13, 2018 at 05:25:18PM +0100, Sven Hartge wrote:
>> Adam Weremczuk <adamw@xxxxxxxxxxxxxxxxx> wrote:

>>> I think it was me invoking "passwd" as root and aborting (ctrl+D)
>>> without making any changes.  Would that be enough to update the
>>> shadow file?
 
>> No.
>> 
>> You can't reverse a hash and to generate a new hash the code needs
>> the password for the user in plain. 

> Well, to be fair, the change to SHA-1 is because you can "reverse" MD5
> all too easily 

Yes, basically.

> But I don't think your operating system is going to do that behind
> your back ;-)

It would be quite obvious when just starting "passwd" takes several days
while it cracks your MD5 hash to replace it with a stronger one ;)

But on that note: I wonder of one could create a PAM module which will
do just that on successful login. Once you *know* you have the right
password (and the PAM system has that knowledge including the plain text
password the user entered) just rehash it and update /etc/shadow.

This will gradually upgrade all hashes once a user uses an account.

S°

-- 
Sigmentation fault. Core dumped.