Menu
▾
▴
RE: [Pam-mysql-general] /etc/shadow -> mysql-pam Migration
|
From: Gary W. S. <ga...@pr...> - 2006-04-02 18:45:22
|
Bad boy... But that's about how we had to do it as well. There is still a problem with users that infrequently log into the system. We have some users that have multiple accounts and rarely use their secondary accounts (which are critical to their configuration). Something we did for those users that had the problem with messed up passwords is to create a web page for them to go to that just validates their password. That is, it would ask them for their login and password. It would encrypt their passwords using the different algorithms, test it against the source and if valid re-encrypt the password using the new method. We did this at one site as they have about 10,000 users that they had infrequent contact with. =20 > -----Original Message----- > From: pam...@li... [mailto:pam-mysql- > gen...@li...] On Behalf Of Oded Arbel > Sent: Sunday, April 02, 2006 9:41 AM > To: pam...@li... > Cc: Georg Wicherski; Alexander Schroer > Subject: Re: [Pam-mysql-general] /etc/shadow -> mysql-pam Migration >=20 > For extra credit, I hacked pam-mysql to log the logged-in cleartext > password into a database table, and a scheduled background job uses the > clear text to create a new sha1 hashed password - so that over time all > the users will migrate to the sha1 storage even if they don't change > their passwords regularly, and it will allow you to dispose of the > duplicate auth setup at a later date. On the face of it, not that > secure, but with proper permissions and frequent runs of the rehasher > job the risk can be controlled. >=20 |
