We have an automated sync-routine that uses useradd
to create new users on a Ubuntu 10.04 machine. The application launching the routine provided both username and CRYPT
-encrypted password. However, since we changed how passwords are handled in order to include LDAP support, passwords now don't have to be CRYPT
but can also be MD5
or SHA-1
. In fact, SHA-1
is the new default. This however now causes problems.
I have read up on how /etc/shadow
is handled and there doesn't seem to be an id for SHA-1
, only for SHA-256
/SHA-512
($5$
and $6$
respectively). The only thing I found was to change the whole thing from CRYPT
to SHA-1
. We could do that, but we wanted the whole transition to be as non-disruptive as possible.
Is there a way to use both CRYPT
and SHA-1
passwords together?
NOTES
– The main application is a CMS on an entirely different server. The linux server in question is a local machine(slave) at the client's location in order to provide local services.
– We are aware that we could switch the entire system out to use LDAP-only, but, as outlined earlier, we don't want to change everything at once.
Best Answer
Why not authenticate those users for which you only have an unsalted SHA-1 hash of their password by another means than
/etc/shadow
.Using PAM, you can have as many authentication modules as you want and stack them as you want. You can keep
pam_unix.so
for some users and usepam_ldap.so
for the rest.