I have noticed on a Centos 4.3 server where I had set some >8 characters passwords for some accounts, that only the first 8 characters are needed (if I forget or mistype the others I login all the same).
Can I "move" the live, running system to longer passwords, and how? or is a reinstall necessary?
TIA, Marco
Can I "move" the live, running system to longer passwords, and how? or is a reinstall necessary?
You want to use pwconv and grpconv to swap your /etc/passwd and /etc/group files to using shadow files. Run "authconfig" and make sure you have selected to use md5 and shadow passwords first.
You can run pwconv/grpconv even if the files have already been converted.
j
On Wed, Jun 14, 2006 14:50:01 PM -0500, Jason Bradley Nance (aitrus@tresgeek.net) wrote:
Can I "move" the live, running system to longer passwords, and how? or is a reinstall necessary?
You want to use pwconv and grpconv to swap your /etc/passwd and /etc/group files to using shadow files.
/etc/passwd has all 'x' in the passwd field, and /etc/shadow has unreadable strings in the same field. This means shadow passwords are already enabled and I don't need at all to run pwconv/grpconv, right?
Run "authconfig" and make sure you have selected to use md5 and shadow passwords first.
Does it matter when I run it? I mean before or after pwconv/grpconv, assuming I still need to use them?
TIA, Marco
Does it matter when I run it? I mean before or after pwconv/grpconv, assuming I still need to use them?
Here's what I would do:
pwunconv grpunconv authconfig pwconv grpconv
Probably not entirely necessary, but does it hurt anything? The crypts will be available to local users from the time you run *unconv until you run the *conv.
j
On Wed, Jun 14, 2006 15:53:06 PM -0500, Jason Bradley Nance (aitrus@tresgeek.net) wrote:
Here's what I would do:
pwunconv grpunconv authconfig pwconv grpconv
OK, thanks. Just one last question before I hurt myself: this doesn't disable currently active shells, does it? I mean, I can do that as root, then change my root password to a longer one, then try to open another ssh session, all knowing that my first session is still active and allows me to back up, right?
Thanks, Marco
OK, thanks. Just one last question before I hurt myself: this doesn't disable currently active shells, does it? I mean, I can do that as root, then change my root password to a longer one, then try to open another ssh session, all knowing that my first session is still active and allows me to back up, right?
Yes, it will totally disconnect your machine from the network and shut down ssh just to be sure.
..... o.O
No, it just manipulates text files.
Maybe you should be doing some independent research as to how the password files and pam works first. I'd hate for you to find out that some other service you are using breaks because it suddenly can't authenticate users. I mean, why in the world was the machine installed in the first place without md5 passwords? Do you have a local service that authenticates directly off the password (shadow) file which doesn't understand md5/crypt? This isn't unheard of. Back in the day, radiusd was fun like that.
Those are questions that you should ask yourself. I'm not looking for an answer, simply giving you a direction.
j
On Wed, Jun 14, 2006 16:06:14 PM -0500, Jason Bradley Nance (aitrus@tresgeek.net) wrote:
I mean, why in the world was the machine installed in the first place without md5 passwords?...
This *is* the same thing I asked myself (this is a VPS package I just purchased, I didn't do the initial install), but this
I'm not looking for an answer, simply giving you a direction.
is the reason why I am asking all these questions these days, thanks.
One of the big freaking problems with do-it-yourself FOSS is that so much terminology is so damned cryptic (don't get me started on smtp...) that one needs to asks a lot of question just to figure out what one really needs, and which real questions one should ask to who...
Thanks for your comments, I'll forward them to my ISP tomorrow.
Marco
-
Jason Bradley Nance -
M. Fioretti