Re: password hash in shadow file
- Date: Tue, 13 Mar 2018 19:36:19 +0100
- From: Sven Hartge <sven@xxxxxxxxxxxxx>
- Subject: Re: password hash in shadow file
> On Tue, Mar 13, 2018 at 05:25:18PM +0100, Sven Hartge wrote:
>> Adam Weremczuk <adamw@xxxxxxxxxxxxxxxxx> wrote:
>>> I think it was me invoking "passwd" as root and aborting (ctrl+D)
>>> without making any changes. Would that be enough to update the
>>> shadow file?
>> You can't reverse a hash and to generate a new hash the code needs
>> the password for the user in plain.
> Well, to be fair, the change to SHA-1 is because you can "reverse" MD5
> all too easily
> But I don't think your operating system is going to do that behind
> your back ;-)
It would be quite obvious when just starting "passwd" takes several days
while it cracks your MD5 hash to replace it with a stronger one ;)
But on that note: I wonder of one could create a PAM module which will
do just that on successful login. Once you *know* you have the right
password (and the PAM system has that knowledge including the plain text
password the user entered) just rehash it and update /etc/shadow.
This will gradually upgrade all hashes once a user uses an account.
Sigmentation fault. Core dumped.