Solaris

I want to import my passwd/shadow files from Solaris 6 to Solaris 10. I found that the encryption method for passwords has changed. Is there a command or script to convert the Solaris 6 passwords to Solaris 10? I have searched the net and just can't seem to find the answer.

For Example:

The password "test123" in Solaris 2.6 shadow file:
wsr:8SsdZGI10.48o:13161::::::

The password "test123" in Solaris 10 shadow file:
wsr:rJ6LC282EwCDs:13161::::::

Thanks in advance for your help.

I doubt that you would find a script or program to do this since that would require the program to know what the password actually is set to - and then that means that program would be able to crack passwords.

All you can do is set up all the accounts on the 10 server and set all passwords to some default (maybe the user's first 4 letters of First Name and then 4 random numbers) and let each user know the new password on the 10 server. Also set it that they have to change it when logging in the first time.

And I checked an account on servers that has the same password on Solaris 2.6, 8, and 9 - each is different in what is recorded in the /etc/shadow for the password for the exact same account.

The password in the /etc/shadow file is encrypted with a different key (salt) everytime. The salt used to encrypt the password is also stored in the shadow file. This will result in a different entry for each password -even if it the same password on the same server.
Why dont you take a nice secure root login on the server (which won't accidentally be logged off), take a backup of the current shadow file and bring in the shadow from 2.6. Then try to login to the server. If it works, there's your import.

I just created an account on a Solaris 10 box. I copied the encrypted password string for a SunOS 2.6 box. That worked. Then I copied the encrypted password string for an HP-UX 11.0 box. That worked too. Solaris 10 uses the same password encryption scheme as virtually every other version of unix. Replacing crypt() would be a daunting task. It is hard to get something like that right.

See this post

I finally found the problem. The following line in /etc/security/policy.conf was commented out.

CRYPT_DEFAULT=__unix__

Once i uncommented it out, everything worked great.

Thanks for everyone's help.

I've tried something like that and it worked fine, converting my /etc/master.passwd from FreeBSD to Solaris 10's /etc/shadow, then copied to Linux and still worked, of course, all servers was configured to handle md5

I'm not a crypto expert, but I have to say that I am not convinced that md5 hashes constitute a successful replacement to the standard unix password hash. Before md5, we had md2 and md4 both of which failed to live up to their promises. In this paper, Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD demonstrate collisions for md5. It's especially jarring that they can find a collision for md4 by hand, no computer needed. And Bruce Snieder checks in with Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard. On the other hand, it may be that stuff like md5 is unusually strong when hashing a very short string like a password. But I'm reluctant to use a new algorithm until it has proven itself for awhile.