Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail

Similar Messages

• Sun cluster for solaris (intel platform)

  I wonder whether sun cluster will support oracle rac under intel platform?

  I believe this is the plan. However, there is a bunch of work yet to do before
  this can be qualified and supported. Stay tuned.
  -- richard

• Pre-Version 10 Shadow Files migration

  Hi all,
  Anyone know whether its possible to use the shadow file encrypted passwords from and Version 9 and 6 system, and import into the Solaris 10 Environment ??
  Have a requirement to migrate 300 users from a version 6 system and 150 users from an version 9 system. And dont want to have to manually create all the user accounts and passwords from scratch.
  I have previously copied the passwd and shadow contents onto other systems to speed it up. But am concerned version 10 may be using a different encryption method on the password hashing.
  Any feedback would be appreciated, thanks.

  Check:
  /etc/security/policy.conf CRYPT_DEFAULT does not need to be the same (you can import a crypt shadow file on a system configured for md5, it will simply use md5 on next password change) but CRYPT_ALGORITHMS_ALLOW must include the algorithms used on source machine. (you cannot import md5 passwords into a machine not allowing them).
  Otherwise, I don't see any other possible source of trouble.

• Sun Management Console doesn't support MD5 passwords?

  I recently converted all our Sun systems to use MD5 passwords, using the Linux-BSD algorithm. I chose the Linux-BSD algorithm for compatibility reasons. After giving root a new password, now stored in MD5 format, I can no longer log in to the Sun Management Console (smc). I had the same problem with DB2. Switching root's password back to CRYPT fixed the issue.
  Is this a known problem that Sun is working on? And how does this happen? Shouldn't the application leave authentication to the OS?
  Mark

  IIRC the Solaris 10 Basic admin guide talks about this issue.
  alan

• I changed my password to use migration to transfer files from a G4 to a new macbook pro but now I have to sign in every time. How do I avoid the sign in?

  I changed my password to use migration to transfer files from a G4 to a new macbook pro but now I have to sign in every time. How do I avoid the sign in?

  I clicked on keychain access but getting a warning that it quit unexpectedly and it won't reopen.

• Migrating /etc/shadow from *nix to OS X?

  Is it possible to migrate users from Linux/Unix to OS X? I really just need some way to merge a traditional /etc/shadow file with /var/db/shadow Since both are hashed via separate ways, I'm sure there's no "just copy it here".
  I've seen a few re-written userlands on sourceforge that would enable the normal use of /etc/shadow on OS X, this can't be the only solution...
  Thanks for reading or responding!

  There isn't any method I'm aware of.
  The problem is that the passwords are not stored in these files - they only store a hashed/encrypted version of the password. When a user logs in, their password is encrypted using the same algorithm and then compared to the shadow file. If the encrypted versions match then the authentication succeeds.
  In this way the shadow file doesn't need to store the actual password, which enhances security, but it also makes it impossible to migrate the passwords to a different system since you cannot retrieve the original password from the shadow file.
  As a result I don't think there's any way to migrate passwords via this file. If you're migrating your users to a new directory server then you probably have to give them new passwords.

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Test with my Shadow File

  So a few weeks back i watched a episode of Hac5, and i saw them move a SAM file from a Windows computer to a USB, and make the computer search on that USB for the password. Then they did the same thing with the Shadow file on Linux
  So heres what i want to do:
  Idea: Move my Shadow file to a microSD adapter, when i leave my computer pull the micro SD card out and put it in another location
  Exacution: I need to know what file to edit that would allow me to tell the OS to look on the SD card
  For example we will use: /media/sdba1/.shadow as the location for the Shadow file on the SD card. Though this is not the true location, this is just an example
  This might seem stupid to some, but i want to test out and see if this is actually better for security reasons.
    ~Kitkin15
  Last edited by Kitkin15 (2012-05-21 17:17:26)

  ewaller wrote:Okay, I thought we might be trying to try and generate a hash collision off-line.  If so, I was going to get my moderator hammer out
  Lol naw, i just want to play around and test this out, i actually think it would be a good idea. I mean if the computer knows theres a password, yet it cant find where its saved at (Because the SD card has been taken out) Then there is no way to brute force the password.... Because you cant crack whats not there At least thats the idea, and thats what i want to do. I want to do this on my 2nd hdd and make a password list that would contain the password on the system, and see if its still able to crack even though the password is no longer on the device, and if any errors come up i want to know which errors they are.
  If this is successful and it does prove to be uncrackable, then i want to try and do the same with an encrypted HDD thats encrypted with Truecrypt, which will take much longer then this.
  If you were to successfully do this with the Truecrypt and the Shadow passwords, your computer would be (At least for right now) Completely un-crackable. Which would just be awesome, even if you had to reason to make your computer un-crackable, it would be something to brag about lol.
  I love Arch, so i want to configure it as much as i can to make it run exactly as i need
  Does anyone have any idea on how i could do this? My guess was it would have something to do with .password, and maybe i could try putting the location of the .shadow file instead of the "X" in place of password. I highly doubt that will work, so i want to see if anyone has any other ideas or opinions before i try that
    ~Kitkin15

• Solaris & MD5 Passwords ?

  Hi!
  We've got a linux NIS domain inhouse, and would like to also integrate our sun boxes to this domain. The Problem is that RedHat Linux uses MD5 encryption for pam password, and it seems that solaris isn't able to encrypt passwords this way...
  Anyone knows a solve, or perhaps a lib which supports md5 ?
  Thanks...
  -- Mirko

  One way of doing this:
  You have a solaris resource adapater configured and is working properly.
  Create a variable and map this variable to the password attribute on the solaris adapater schema mapping.
  Within the form that is used when a create or update is processed, add a field with the name of the 'global.YOURVARIABLE'. Within the expansion of this field select expression and use the <script> tag to use the MD5 password javascript for instance.
  A better way of doing, is putting the <script> in a rule, test the rule, and call the rule from the expansion.
  Good luck!
  Elger.

• Linux Cluster File System partitions for 10g RAC

  Hi Friends,
  I planned to install 2 Node Oracle 10g RAC on RHEL and I planned to use Linux File system itself for OCR,Voting Disk and datafiles (no OCFS2/RAW/ASM)
  I am having SAN storage.
  I would like to know how do i create shared/cluster partitions for OCR,Voting Disk and Datafiles (common storage on SAN).
  Do i need to install any Linux cluster file system for creating these shared partitions (as we have sun cluster in solaris)?
  If so let me know what versions are supported and provide the necessary Note / Link
  Regards,
  DB

  Hi ,
  Below link may be useful to you:
  ORACLE-BASE - Oracle 10g RAC On Linux Using NFS

• Solaris 10 openldap authentication with md5 passwords

  Hello to everyone,
  We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
  We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
  The error messages when trying to 'su -' to the ldap user are:
  Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
  Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
  Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
  Please feel free to ask for any other configuration file:
  */etc/pam.conf*
  login   auth requisite        pam_authtok_get.so.1
  login   auth required         pam_dhkeys.so.1
  login   auth required         pam_unix_cred.so.1
  login   auth required         pam_dial_auth.so.1
  login   auth sufficient       pam_unix_auth.so.1  server_policy debug
  login   auth required           /usr/lib/security/pam_ldap.so.1 debug
  rlogin auth sufficient       pam_rhosts_auth.so.1
  rlogin auth requisite        pam_authtok_get.so.1
  rlogin auth required         pam_dhkeys.so.1
  rlogin auth required         pam_unix_cred.so.1
  rlogin  auth required          pam_unix_auth.so.1 use_first_pass
  rsh    auth sufficient       pam_rhosts_auth.so.1
  rsh    auth required         pam_unix_cred.so.1
  rsh    auth required         pam_unix_auth.so.1
  ppp     auth requisite        pam_authtok_get.so.1
  ppp     auth required         pam_dhkeys.so.1
  ppp     auth required         pam_dial_auth.so.1
  ppp     auth sufficient       pam_unix_auth.so.1 server_policy
  other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
  other   auth required           pam_unix_auth.so.1 use_first_pass debug
  passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
  passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
  cron    account required      pam_unix_account.so.1
  other   account requisite     pam_roles.so.1
  other   account sufficient       pam_unix_account.so.1 server_policy
  other   account required        /usr/lib/security/pam_ldap.so.1 debug
  other   session required      pam_unix_session.so.1
  other   password required     pam_dhkeys.so.1
  other   password requisite    pam_authtok_get.so.1
  other   password requisite    pam_authtok_check.so.1
  other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
  base ou=users,ou=Example,dc=staff,dc=example
  ldap_version 3
  scope sub
  pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
  pam_member_attribute memberUid
  nss_map_attribute uid displayName
  nss_map_attribute cn sn
  pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
  uri ldap://ldapserver01/
  ssl no
  bind_timelimit 1
  bind_policy soft
  timelimit 10
  nss_reconnect_tries 3
  host klnsds01
  nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
  pam_password md5*/etc/nsswitch.conf*
  passwd:     files ldap
  group:      files ldap
  hosts:      files dns
  ipnodes:   files dns
  networks:   files
  protocols:  files
  rpc:        files
  ethers:     files
  netmasks:   files
  bootparams: files
  publickey:  files
  netgroup:   files
  automount:  files
  aliases:    files
  services:   files
  printers:       user files
  auth_attr:  files
  prof_attr:  files
  project:    files
  tnrhtp:     files
  tnrhdb:     files*/etc/security/policy.conf*
  AUTHS_GRANTED=solaris.device.cdrw
  PROFS_GRANTED=Basic Solaris User
  CRYPT_ALGORITHMS_DEPRECATE=__unix__
  LOCK_AFTER_RETRIES=YES
  CRYPT_ALGORITHMS_ALLOW=1,2a,md5
  CRYPT_DEFAULT=1Thanks in advance for any response...!!

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• How to migrate sybase esql files(.cp files) to oracle pro*c files(.pc files

  I need to migrate sybase esql files(.cp files, c file with sybase embedded sql) to Oracle pro*c files (.pc files, c file with oracle embedded sql) , could anyone let me know whether there are any tools for this or the process how to migrate.
  Thanks in advance.

  I don't think there are any commercially available tools that can do this particular type of conversion. Your best bet is to re-write the app or try something like this: http://linux.windows9download.net/go/3-153300-0-download.html (open ESQL) that supports multiple databases. I don't know how good it is or if it will work with latest versions of Oracle so no guarantees. Our old migration workbench used to convert the Informix eSQL C programs to Pro*C but no Sybase esql c.
  Regards
  Prakash

• MD5 Password Support in DS5.2

  I need to import accounts form an Oracle Directory (OID) to the Sun Directory 5.2p6. The passwords in the accounts use MD5. From what I read, MD5 is supported, but I am not finding how to configure it to work :).
  I do see a plugin called:NS-MTA-MD5, but not just MD5. I tried using NS-MTA-MD5 but that does not work.
  An example MD5 password is: {MD5}SCyBHaXVtLxtSX/6mEkeOA==
  cleartext: password123
  Any help is appreciated.
  Thanks,
  Eric

  There is no default support for an MD5 hashing scheme.
  Provided the algorithm used by Oracle Directory is publicly documented, it should be pretty straightforward to implement a new Password Storage Scheme Plug-in to support both Authentication and hashing new passwords in MD5 format.
  Directory Server ships with a sample plug-in that can be used as a template.
  Regards,
  Ludovic.

• Moving shadow files to a new volume ???

  Dear,
  In an exsiting Volume (VOL1) which is shadowed, I copied a specific folder (Folder1) into a newly created Volume (VOL2).
  VOL1\Folder1 copied on VOL2\Folder1
  I need to copy the shadow files\folders of Folder1 from VOL1 to VOL2\Folder1.
  Size of Shadow files\folders of VOL1\Folder1 is 1.2 TB.
  Any help is welcome.
  Thanks.

  Originally Posted by 6567410
  Dear,
  In an exsiting Volume (VOL1) which is shadowed, I copied a specific folder (Folder1) into a newly created Volume (VOL2).
  VOL1\Folder1 copied on VOL2\Folder1
  I need to copy the shadow files\folders of Folder1 from VOL1 to VOL2\Folder1.
  Size of Shadow files\folders of VOL1\Folder1 is 1.2 TB.
  Any help is welcome.
  Thanks.
  So your source server is shadowed (well technically the source volume).
  But the TARGET volume is not shadowed?
  Basically there's a few ways you can do this, but they all have their downfalls:
  1) Use a workstation with the Novell Client. It will see the source as a single volume and copy the data from both primary/shadow (since the NCP view sees them as "one") and paste them to the target. Obviously file rights aren't preserved, and neither are quotas, and it can be slow since it's routing through the workstation. But it will get the DATA over.
  2) Use the miggui, but with caution. There ARE ways (not supported AFAIK). If you choose this route, I can send you some of the details via PM. It does pose a small risk in that, while you temporary expose both volumes on the Primary, (so miggui can see the data), if you make any trustee changes, it'll hose things. I think it also requires that your TARGET have a shadow setup. But my memory is old. It will get quotas/trustees, and is relatively quick. We did many migrations this way to new hardware without issue (just had to be VERY careful that nobody was changing file rights during the exposing of the volume temporarily).
  3) Use your DST to shift everything BACK to the primary and then break (disable the DST/Shadow) and use miggui so that primary -> primary (ie, there's no shadowing on source or target). Obviously you need enough free disk space which you may not have. It will get quotas/trustees though.
  Others may have other ideas, but this is what I could come up with.
  --Kevin

• Shadow file: length of salt

  Hello,
  I came across the topic password hashing and salting and have a question regarding the length of the salt:
  man crypt
  says:
  "salt"  stands  for  the  up to 16 characters following "$id$" in the salt.
  And this site says:
  The size of the salt depends on the algorithm chosen.
  I use sha-512 hash algorithm and in my shadow file the salt is 8 characters long.
  Does anybody know where this length is specified and whether I can change it somehow?
  Thanks in advance,
  matse

  I didn't say, that I want to change the value
  I just want to know, whether this value is somewhere hard coded or whether the user has principally the option to change it via a config file.
  The length of 8 characters in arch must be defined somewhere and I try to find out where.