[CentOS] 6.2 and login.defs

Thu Dec 22 14:22:49 UTC 2011
Stephen Harris <lists at spuddy.org>

On Thu, Dec 22, 2011 at 03:30:06AM -0800, John Doe wrote:
> Hi,
> After the 6.2 upgrade, the new /etc/login.defs has:
> ? ENCRYPT_METHOD SHA512 instead of MD5Is it safe to just apply the change?
> Will my current MD5 passwords in /etc/passwd still work and only new passwords will be SHA512?
> Or are they automatically "converted" (rehashed) to SHA512?

If you look at "man 3 crypt" you'll see the same function is used to
generate all the different types of encryption; the difference is the
"salt" value.  When you try to login the system will see (based on your
shadow entry) what the current password is encrypted with and will use
the same salt to encrypt your typed-in password.

In this way the password file can contain traditional DES, MD5 and
SHA512 at the same time (for different users, obviously).  So "root"
could be SHA512, "fred" could be MD5 and "harry" could be DES, and
they'll all work.

login.defs merely defines how _new_ passwords are encrypted (when you run
the passwd command).