changing shadow hash algorithm to bcrypt: how to rehash

sudo pam hash md5

5,484

You hashed password entries also have formatting information in them.

"$id$salt$encrypted", where "$id" is the hashing algorithm used (On GNU/Linux, "$1$" stands for MD5, "$2$" is Blowfish, "$5$" is SHA-256 and "$6$" is SHA-512, crypt(3) manpage, other Unix may have different values, like NetBSD).

If your users' passwords have a time-based expiry, they'll eventually have to update them and the new hash will be in the format you've chosen. The system can tell which format passwords hashes are in per user, so things will keep working as passwords are updated over time.

As it also says in the answer you reference:

Passwords that are updated after these modifications are made will be hased using blowfish, exising shadow passwords are not modified

5,484

Fabian Zeindl

Updated on September 18, 2022

Comments

Fabian Zeindl almost 2 years
I want to change my SHA512 shadow file to use bcrypt as shown in this question/answer: Enable blowfish-based hash support for crypt

The problem is that i run into a chicken and egg problem, because the existing shadow-file is SHA512 encrypted, which means sudo doesn't work anymore as soon as i edit
```
/etc/pamd/common-password
```
Fabian Zeindl about 12 years

But if i change the mechanism in the pam.d files, does it still "know how to do md5"?
loislo about 12 years

@FabianZeindl Yes, it should. The PAM mechanism will define setting the password, but the algorithm used to check it is defined by the hash string. The PAM mechanism that handles verification should know all methods it might encounter.