Virtualmin user password handling

Can you address what’s going on inside Virtualmin with the plaintext passwords for users? Do any parts of the system rely on that password for operation, or does everything use PAM and the password is just on the screen for convenience?

I’ve got some mail users that I’ll be moving from another Unix server to one running Virtualmin. I don’t know their passwords, but I have access to the hashed data from /etc/shadow. Normally I would just expect to copy the password hashes over to the new machine, but that leaves Webmin without its plaintext info and I’m wondering what implications will arise.

Hey Joshua,

Weird coincidence…I was just looking at a cPanel backup to see if we can pull in passwords automatically (right now we reset them during import). And we can, but, as you’ve noted there are places in Virtualmin where we’d like to have the password.

Virtualmin keeps the password for a lot of stuff…setting passwords in other modules (SVN and databases, for example), sending out signup notification emails, etc. I don’t know if it will panic if it doesn’t have a plaintext copy of it somewhere.

I’ll ask Jamie to drop in on this thread and shed some light on it.

Virtualmin does keep plain test passwords for mailbox users, where possible. These are used when enabling other services for those users, like MySQL logins or DAV, which use encrypted passwords in a different format.

Older versions didn’t do this, and instead stored only the MD5 encrypted password in /etc/shadow. However, in this case if you try to enable MySQL access for an existing user, Virtualmin will complain that the password needs to be changed at the same time, so that it knows the plaintext password for re-encryption in MySQL’s format.

To answer your question, it is quite possible to copy across users from other system where you only know the hashed password, and in general this will work fine. The only problem happens if you later try to enable DAV, SVN or MySQL access for these users before changing their passwords…

Ok thanks, that sounds pretty good. So it sounds like I can bring the users over with their hashed passwords which will allow them to continue using POP/IMAP and webmail, and then request that they use Usermin to set a new password at their convenience. I just wanted to avoid a hard switchover where the user would be forced to start using a new password.

I just had the exact same problem… and storing pwds in plain text made it…
but isn’t a problem to keep the passwords clear ?