Home / server / Questions / 476886
In Process
Petr
Asked: 2013-02-09 07:27:59 +0800 CST

When changing passwords, how to let one PAM module check for old passwords and another to save new ones?

  • 772

Our server is currently using the blowfish cipher to store passwords and it uses pam_unix2. We'd like to gradually switch to SHA. The idea is that all newly changed passwords would be hashed with SHA. But I don't know how to configure PAM for that, namely common-password. If I use pam_unix2, it cannot save new passwords with SHA. If I use pam_unix, it cannot verify old, blowfish passwords. Is there a way how to verify the old passwords with one module and set new with another?

linux

1 Answers

  1. It depends on whether the password interface checks the current password, or whether this is done by the normal auth interface. I would suspect the latter due to root being able to set other users' passwords without providing the user's previous password, in which case you should be able to do something like this:

    # Accept authentication with either Blowfish or SHA512
auth        sufficient      pam_unix2.so
auth        sufficient      pam_unix.so

# Set new passwords only with SHA512
password    required        pam_unix.so sha512
    • 2