We have an automated sync-routine that uses useradd to create new users on a Ubuntu 10.04 machine. The application launching the routine provided both username and CRYPT-encrypted password. However, since we changed how passwords are handled in order to include LDAP support, passwords now don't have to be CRYPT but can also be MD5 or SHA-1. In fact, SHA-1 is the new default. This however now causes problems.
I have read up on how /etc/shadow is handled and there doesn't seem to be an id for SHA-1, only for SHA-256/SHA-512($5$ and $6$ respectively). The only thing I found was to change the whole thing from CRYPT to SHA-1. We could do that, but we wanted the whole transition to be as non-disruptive as possible.
Is there a way to use both CRYPT and SHA-1 passwords together?
NOTES
– The main application is a CMS on an entirely different server. The linux server in question is a local machine(slave) at the client's location in order to provide local services.
– We are aware that we could switch the entire system out to use LDAP-only, but, as outlined earlier, we don't want to change everything at once.
Best Answer
Why not authenticate those users for which you only have an unsalted SHA-1 hash of their password by another means than
/etc/shadow.Using PAM, you can have as many authentication modules as you want and stack them as you want. You can keep
pam_unix.sofor some users and usepam_ldap.sofor the rest.