RedHat to Suse migration
Hello! Is there any simple way to migrate from RedHat do Suse? All users and passwords must remain the same. Problem is with users which have been on the system from RH7.3 and have also been migrated with upgrade to RH9. Thanks for all your help. M.
Scorpy wrote:
Hello!
Is there any simple way to migrate from RedHat do Suse? All users and passwords must remain the same. Problem is with users which have been on the system from RH7.3 and have also been migrated with upgrade to RH9.
Thanks for all your help.
While you can't upgrade directly, what you can do, is backup your /home directory along with /etc/passwd and /etc/shadow.
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3. Thanks. -----Original Message----- From: James Knott [mailto:james.knott@rogers.com] Sent: Saturday, March 05, 2005 7:46 PM To: suse-linux-e@suse.com Subject: Re: [SLE] RedHat to Suse migration Scorpy wrote:
Hello!
Is there any simple way to migrate from RedHat do Suse? All users and passwords must remain the same. Problem is with users which have been on the system from RH7.3 and have also been migrated with upgrade to RH9.
Thanks for all your help.
While you can't upgrade directly, what you can do, is backup your /home directory along with /etc/passwd and /etc/shadow. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 05 March 2005 19:39, Scorpy wrote:
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3.
You're saying the shadow passwords from red hat 7.3 won't work as is in suse 9.2? Do you happen to know which hashing function was used in 7.3?
No I dont`t know which function is used, but the string is shorter than in never versions. -----Original Message----- From: Anders Johansson [mailto:andjoh@rydsbo.net] Sent: Saturday, March 05, 2005 9:47 PM To: suse-linux-e@suse.com Subject: Re: [SLE] RedHat to Suse migration On Saturday 05 March 2005 19:39, Scorpy wrote:
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3.
You're saying the shadow passwords from red hat 7.3 won't work as is in suse 9.2? Do you happen to know which hashing function was used in 7.3? -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 05 March 2005 21:09, Scorpy wrote:
No I dont`t know which function is used, but the string is shorter than in never versions.
I haven't installed red hat 7.3, but I looked at the passwd utility in it, and it's linked against libcrypto.so.1, just like in suse. So the question is have you actually tried it and seen it fail? Could you give an example of one of these "shorter" hash strings from /etc/shadow (a temporary, unimportant password naturally)
On Saturday 05 March 2005 4:28 pm, Anders Johansson wrote:
On Saturday 05 March 2005 21:09, Scorpy wrote:
No I dont`t know which function is used, but the string is shorter than in never versions.
I haven't installed red hat 7.3, but I looked at the passwd utility in it, and it's linked against libcrypto.so.1, just like in suse. So the question is have you actually tried it and seen it fail? Could you give an example of one of these "shorter" hash strings from /etc/shadow (a temporary, unimportant password naturally) We recently built a new server using Fedora Core 2 (my partner was too stubborn to use SuSE, and the system was built at his home). The old server is running Red Hat 7.1. I copied the entries from the 7.1 system to the Fedora system with no problem. Both the lines from /etc/passwd and /etc/shadow. This should work for SuSE,
Also, whenever I build a system, I generally maintain separate /home and /usr/local file systems so I can install a new OS. -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
Hi, Anders Johansson wrote:
On Saturday 05 March 2005 21:09, Scorpy wrote:
No I dont`t know which function is used, but the string is shorter than in never versions.
I haven't installed red hat 7.3, but I looked at the passwd utility in it, and it's linked against libcrypto.so.1, just like in suse. So the question is have you actually tried it and seen it fail? Could you give an example of one of these "shorter" hash strings from /etc/shadow (a temporary, unimportant password naturally)
The explanation for the "longer" or "shorter" encrypted passwords is quite easy, when you have read "man 3 crypt". In brief: Encrypted passwords usually start with a so-called "salt", followed by the digest of the clear text password. The salt was originally used to allow a slight modification to the originally used hashing algorithm (based on DES), so that existing hardware crackers could not be used for cracking passwords. By default, the passwords are hashed using DES which is completely untolerable today because DES has only 56 bits and can be broken by brute force with relatively little effort. Encrypted DES passwords are always 13 bytes long, 2 for the salt, 11 for the asciified hash. If the encrypted password begins with the special string "$1$" then it is a password hashed with MD5 which is a lot safer than DES. Encrypted MD5 passwords have a constant length of 34 bytes including salt. Finally, if the encrypted password begins with string "$2a$" (the crypt manpage shipped with SuSE 9.2 ignores that fact but it is true nonetheless), Blowfish is used as the hashing algorithm. These encrypted passwords are always 60 bytes long. When passwords are changed or added the value of the variable "CRYPT_FILES" in /etc/default/passwd is checked for the format. Alternatively, you can do that with yast, in "Security & Users" -> "Security Settings". The moral: Even if your RedHat users still have DES passwords, a migration is no problem because the libcrypt shipped with SuSE can still read and check these old passwords (not vice versa maybe). For security reasons you should however enforce that nobody uses DES passwords; and some people also disapprove from MD5. The people having MD5 passwords (try: grep -v '$1$' /etc/shadow | grep -v '$2a$' ) should change their passwords immediately. Regards, Guido -- Imperia AG, Development Leyboldstr. 10 - D-50354 Hürth - http://www.imperia.net/
On Monday 07 March 2005 07:58, Guido Flohr wrote:
The moral: Even if your RedHat users still have DES passwords, a migration is no problem because the libcrypt shipped with SuSE can still read and check these old passwords (not vice versa maybe). For security reasons you should however enforce that nobody uses DES passwords; and some people also disapprove from MD5. The people having MD5 passwords (try:
grep -v '$1$' /etc/shadow | grep -v '$2a$'
) should change their passwords immediately.
I assume from what you've said that I have MD5 passwords, for example: # grep -v '$1$' /etc/shadow | grep -v '$2a$' amanda:!:12755:0:99999:7::: at:!:12722:0:99999:7::: bin:*:8902:0:10000:::: daemon:*:8902:0:10000:::: dhcpd:!:12722:0:99999:7::: Is this true? Why are there no '$1$' or '$2a$'s in the output? Thanks, Jerome
On Tue, 2005-03-08 at 17:15, Susemail wrote:
On Monday 07 March 2005 07:58, Guido Flohr wrote:
The moral: Even if your RedHat users still have DES passwords, a migration is no problem because the libcrypt shipped with SuSE can still read and check these old passwords (not vice versa maybe). For security reasons you should however enforce that nobody uses DES passwords; and some people also disapprove from MD5. The people having MD5 passwords (try:
grep -v '$1$' /etc/shadow | grep -v '$2a$'
) should change their passwords immediately.
I assume from what you've said that I have MD5 passwords, for example:
# grep -v '$1$' /etc/shadow | grep -v '$2a$'
amanda:!:12755:0:99999:7::: at:!:12722:0:99999:7::: bin:*:8902:0:10000:::: daemon:*:8902:0:10000:::: dhcpd:!:12722:0:99999:7:::
Is this true? Why are there no '$1$' or '$2a$'s in the output?
Because you told the it -not- to display any output that had those strings and it did just that. grep -v string tells grep to omit any output with string in it. Try man grep for a better explanation. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 * Only reply to the list please* "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
Hi, Susemail, you caught me: Never post untested code. ;-) Susemail wrote:
(try:
grep -v '$1$' /etc/shadow | grep -v '$2a$'
) should change their passwords immediately.
I assume from what you've said that I have MD5 passwords, for example:
# grep -v '$1$' /etc/shadow | grep -v '$2a$'
amanda:!:12755:0:99999:7::: at:!:12722:0:99999:7::: bin:*:8902:0:10000:::: daemon:*:8902:0:10000:::: dhcpd:!:12722:0:99999:7:::
This is what I actually meant (modulo the line feed): grep -v '\$1\$' /etc/shadow | grep -v '\$2a\$' | grep -v ':!:' | grep -v ':\*:'
Is this true? Why are there no '$1$' or '$2a$'s in the output?
That was the intention: Filter out the safe passwords. Option "-v" inverts grep. Try "grep --help" or think that the "v" stands for "ze ozzer _V_ay round". ;-) Apart from smart-assing my point was: Scan /etc/shadow for encrypted passwords that do _not_ start with '$1$', '$2a$', or are '!' resp. '*'. These are DES encrypted passwords and should be considered unsafe today. Ciao, Guido -- Imperia AG, Development Leyboldstr. 10 - D-50354 Hürth - http://www.imperia.net/
On Tuesday 08 March 2005 13:38, Guido Flohr wrote:
Hi, Susemail,
you caught me: Never post untested code. ;-)
Susemail wrote:
(try:
grep -v '$1$' /etc/shadow | grep -v '$2a$'
) should change their passwords immediately.
I assume from what you've said that I have MD5 passwords, for example:
# grep -v '$1$' /etc/shadow | grep -v '$2a$'
daemon:*:8902:0:10000:::: dhcpd:!:12722:0:99999:7:::
This is what I actually meant (modulo the line feed):
grep -v '\$1\$' /etc/shadow | grep -v '\$2a\$' | grep -v ':!:' | grep -v ':\*:'
Is this true? Why are there no '$1$' or '$2a$'s in the output?
That was the intention: Filter out the safe passwords. Option "-v" inverts grep. Try "grep --help" or think that the "v" stands for "ze ozzer _V_ay round". ;-)
Apart from smart-assing my point was: Scan /etc/shadow for encrypted passwords that do _not_ start with '$1$', '$2a$', or are '!' resp. '*'. These are DES encrypted passwords and should be considered unsafe today.
Ciao, Guido -- This is going to increase my security on my LAN,thank you Guido. It seems all my user accounts on this machine are DES encrypted passwords. True?:
# grep -v '\$1\$' /etc/shadow | grep -v '\$2a\$' | grep -v':!:' | grep -v ': \*:' root:xRn5rSXQTLinA:12722:0:10000:::: orion:IlLxOxmI2A1TY:12722:0:99999:7::: jeromely:pRHPBze2mpAg.:12755:0:99999:7:-1:: I'm using 9.2. I'm surprised my user passwords are DES encrypted. I assume this is because this system was updated from previous versions. Thanks for such a clear description of encryption protocols and their relative usefulness. I want to switch my user password encryption to Blowfish. Yast, in "Security & Users" -> "Security Settings" says it's already set to Blowfish. If I change my passwords will the new ones be Blowfish encrypted? Ciao, Jerome
Anders Johansson wrote:
On Saturday 05 March 2005 19:39, Scorpy wrote:
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3.
You're saying the shadow passwords from red hat 7.3 won't work as is in suse 9.2? Do you happen to know which hashing function was used in 7.3?
If SuSE can't read a user's password, root can always assign them a new one, which can then be changed by the user.
Yeah...but thats the easy solution. I need (as i said) the old passwords. -----Original Message----- From: James Knott [mailto:james.knott@rogers.com] Sent: Saturday, March 05, 2005 10:13 PM To: suse-linux-e@suse.com Subject: Re: [SLE] RedHat to Suse migration Anders Johansson wrote:
On Saturday 05 March 2005 19:39, Scorpy wrote:
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3.
You're saying the shadow passwords from red hat 7.3 won't work as is in suse 9.2? Do you happen to know which hashing function was used in 7.3?
If SuSE can't read a user's password, root can always assign them a new one, which can then be changed by the user. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Scorpy wrote:
Yeah...but thats the easy solution. I need (as i said) the old passwords.
Regardless of how you upgrade, you'll be in the same situation WRT paswords. SuSE can either read them or it can't. Either way, what's more important, is maintaining the user IDs. This info is contained in the password files.
Scorpy wrote:
The problem is that there are some password that have been encrypted diferently than others. The RedHat9 is directly upgradable by copying this files, but i need also solution for that older passwords used in RH7.3.
How do you know that SuSE can't read them? It supports three different encryption methods. Failing that, just give the users new passwords, which they can then change.
On Sat, 2005-03-05 at 10:31, Scorpy wrote:
Hello!
Is there any simple way to migrate from RedHat do Suse? All users and passwords must remain the same. Problem is with users which have been on the system from RH7.3 and have also been migrated with upgrade to RH9.
After backing up /home. Install Suse. When you get to the section for creating users allow Suse to update the user directories to the new numbering scheme. I did this upgrading from 8.2 to 9.1 the user numbers went from 500 to 1000 for the first user. Use temporary passwords for all users and instruct them to immediately change them. BTW if they have the same antique passwords from the days of RH7.3 its time to change anyway. -- _______ _______ _______ __ / ____\ \ / / ____|_ _\ \ / / | | \ \ /\ / / (___ | | \ \ / / | | \ \/ \/ / \___ \ | | \ \/ / | |____ \ /\ / ____) |_| |_ \ / \_____| \/ \/ |_____/|_____| \/
participants (8)
-
Anders Johansson -
Carl William Spitzer IV -
Guido Flohr -
James Knott -
Jerry Feldman -
Ken Schneider -
Scorpy -
Susemail