[Lias] migrating users and their passwords

Jonathon Coombes jon at cybersite.com.au
Sun Dec 1 13:51:01 UTC 2002 

On Sun, 2002-12-01 at 16:20, Leon Brooks wrote:
> On Sunday 01 December 2002 06:31 am, Jonathon Coombes wrote:
> >> If RH7 uses the same password format, and adjeweb's software uses the
> >> system passwords and mailboxes, just copy them (user by user) from
>                                                    ^^^^^^^^^^^^
> >> /etc/shadow on the old system to the same file on the new, and their mail
> >> from/to /var/spool/mail/$USERNAME
> 
> > Something to be careful of here, is if users already exist on the
> > new system. Copying the shadow file may be fine, but with directories
> > and files such as $HOME and the mailboxes, the uid's may get mixed up.
> 
> It's important to note that (1) I didn't avocate copying the file en bloc, but 
> `user by user' (see row of carets mid-quote); and (2) shadow is keyed on 
> username not UID.

Hi Leon,

I did not want to disapprove of your method, or say one method is
better than another in every circumstance. I just wanted to point
out some of the problems I have seen people have in the past with
copying user accounts across machines.

Also, the uid's that I mentioned were in regards to the home directories
and mailbox files, not the /etc/shadow file, which certainly does not
contain uid's. That is, it may not simply be a matter of copying a
mailbox or home directory across as the uid on these files may be
different compared to the uid on the new machine.

> > Another very useful command for changing passwords is the 'chpasswd'
> > command. This is designed to change the user passwords as a batch job.
> > Ideal for schools where you have to update hundreds of accounts.
> 
> It's even ideal for updating a score of accounts (shadow.old being /etc/shadow 
> from the old machine):
> 
>     gawk -F: <shadow.old '{ print $1":"$2 }' | chpasswd -e
> 
> If you're upgrading from a machine which uses an older encryption method, 
> throw John the Ripper at the task (on the new machine, well a head of time) 
> and when it completes (or completes enough, it might take weeks if the 
> passwords are well chosen and/or the machine lacks horsepower), do this:
> 
>     john -show shadow.old | gawk -F: '{ print $1":"$2 }' | chpasswd
> 
> (Note the absence of -e of chpasswd: this optional intentionally left blank). 
> John will also do Windows passwords if you're migrating authentication from 
> Borgware.

Another good suggestion. Believe me, you start to learn some of these
techniques when you are asked to update machines with over 1000 accounts
or more! :-)

Regards,
Jonathon

More information about the lias mailing list