Date: Sat, 07 Jul 2007 19:12:20 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Lisa Casey <lisa@jellico.com> Cc: freebsd-questions@freebsd.org Subject: Re: passwd file and user accounts Message-ID: <468FD784.3000807@infracaninophile.co.uk> In-Reply-To: <003701c7c0ac$f7a6f350$d5b9bfcf@lisac> References: <003701c7c0ac$f7a6f350$d5b9bfcf@lisac>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lisa Casey wrote:
> Hi,
>
> This is probably a stupid question, but I'll ask it anyway...
>
> I have a Red Hat Linux system I need to get rid of. It is currently
> doing e-mail for approximately 700 users and is also doing radius
> authentication. I have setup a new FreeBSD computer to take it's place.
> I have everything setup now on the FreeBSD computer except for the user
> accounts and mailboxes. The mailboxes aren't a problem, I've used tar to
> move mailboxes before.
>
> I suppose I cannot simply copy /etc/passwd, /etc/group and /home from
> the Redhat computer to the FreeBSD computer due to the password hash in
> /etc/passwd. Am I correct on this? Would it be possible to copy
> /etc/passwd then (before the new system goes "live") reset all the
> passwords with the passwd command? That might be easier than adding in
> close to 700 accounts using adduser. Does anyone have a better idea of
> how I might go about doing this?
Not a stupid question at all, and you are quite right: you can't
just copy /etc/passwd and /etc/group from the Redhat box. /home
you can, pretty much, but see below about the necessity to renumber
some accounts, and also be aware that if any of your users have
locally installed Linux executables or scripts that claim to be run
by /bin/sh when they really need /usr/local/bin/bash then they will
have problems.
You're going to run into a number of problems shifting your user
accounts over:
i) System level accounts. On FreeBSD these are all the accounts
with UID or GID below 1000, plus the 'nobody' account. See
/usr/src/etc/master.passwd and /usr/src/etc/group for the list of
what is required by the base system, and see /usr/ports/{UIDs,GIDs}
for the numbers reserved by the ports system. On Redhat, the
boundary between system and user accounts is UID 500.
Thus to port your passwd and group database from Redhat to FreeBSD
you will need to discard the UIDs and GIDs below 500, substituting
the equivalent stuff from the default master.passwd and group files.
Also you will almost certainly have to renumber accounts where the
UID/GID is between 500 and 1000. That means running chown(1) on the
files owned by those accounts. A find command like the following
is often useful:
find /home -user ${olduid} -print0 | xargs -0 chown -h ${newuid}
ii) Password hashes. On Redhat there are two parallel files
/etc/passwd and /etc/shadow. It's /etc/shadow which contains the
password hashes. On FreeBSD the /etc/passwd file is generated from
/etc/master.passwd by stripping out certain of the columns and
replacing the password hashes from column 2 with asterisks. The
master.passwd(5) man page has all the details. You can just cut and
paste the password hashes from column 2 of /etc/shadow into column 2
of /etc/master.passwd. See crypt(3) for more information.
If your Redhat system is fairly old and still uses the traditional
style DES password hashes you can copy them just the same and they
will still work in FreeBSD, but you should force your users to
update their passwords when they next log in. DES password hashes
are almost trivially crackable nowadays. You can force a password
update for an account by setting the 7th column of
/etc/master.passwd to the current Unix time (ie. the output of
'date +%s')
The other columns of /etc/shadow are all about when passwords were
last changed and when they will expire. Those columns have
equivalents in FreeBSD's master.passwd but the data formats are
different and you can't just copy from one to the other. However,
unless you specifically use password ageing you can probably just
ignore those fields.
Note that a password hash of '!!' is special on Redhat. It means
'account is locked and cannot be logged into' (including by means
that do not involve passwords at all, like SSH key based
authentication.) The equivalent under FreeBSD is *LOCKED*. It's
also quite common for Linux to use /bin/false to mean 'no
interactive shell' -- which also works under FreeBSD, but there it
is more usual to use /usr/sbin/nologin
iii) Shells -- these are almost always found in /bin under Redhat,
whereas under FreeBSD some (sh, csh, tcsh) are in /bin but bash, zsh
etc. or any other shell installed from ports, will be found in
/usr/local/bin.
Remember that on FreeBSD you never edit /etc/passwd directly.
Instead, edit /etc/master.passwd and then run pwd_mkdb to generate
/etc/passwd from /etc/master.passwd and rebuild the pwd.db hashed
lookup files. Using vipw(8) will automate that for you, and lock the
password file correctly against several people all trying to update
it at once, which would usually result in a corrupted password file.
You can also use 'mergemaster -p' to ensure you have all the
necessary system level accounts in place: something that is rather
important as the system won't boot up entirely successfully without.
See also pw(8) and adduser(8) for a couple of programmatic
interfaces for dealing with user accounts and groups.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGj9eD8Mjk52CukIwRCKUqAJ0Y7Yef9rwfBe7v75BHnFmnpxndzQCfSYsu
v+r3w1SRF8bKemeuoMTyoAA=
=SAcJ
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468FD784.3000807>