/etc/shadow : how to generate $6$ 's encrypted password?

Question

In /etc/shadow file there are encrypted password.

Encrypted password is no longer crypt(3) or md5 "type 1" format. (according to this previous answer) Now I have a

$6$somesalt$someveryverylongencryptedpasswd

as entry.

I can no longer use

 openssl passwd -1 -salt salt hello-world
 $1$salt$pJUW3ztI6C1N/anHwD6MB0

to generate encrypted passwd.

Any equivalent like (non existing) .. ?

 openssl passwd -6 -salt salt hello-world

Related: http://unix.stackexchange.com/questions/52108/how-to-create-sha512-password-hashes-on-command-line as well as http://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow — slm, Jan 28 '16 at 02:14
You should not be supplying the salt - it should be randomly generated. (The only reason to supply it is to check a password against an existing hash) — Gert van den Berg, Dec 06 '22 at 07:48
my purpose was precisely to check wether a given string is the actual password, so I have to reuse the salt. — Archemar, Dec 06 '22 at 08:30

Craig McQueen · Answer 1 · 2016-10-09T22:19:01.320

41

On Debian-based systems you can use mkpasswd.

mkpasswd -m sha-512 PASSWORD [SALT]

(PASSWORD is your desired password; SALT is optional.)

Strangely, that tool is found in the whois package.

sudo apt-get install whois

edited Oct 09 '16 at 22:19

answered Jun 17 '15 at 06:04

Craig McQueen

6

+1 for whois package name for installation. – Arda Jan 28 '16 at 16:53
2

For clarification, PASSWORD is your desired password and the SALT, explained here: https://en.wikipedia.org/wiki/Salt_%28cryptography%29 can be omitted. – harperville Feb 26 '16 at 14:23
Is there a command to check if mkpasswd's generated hash is correct? I'm generating it and it constantly fails after I put it in /etc/shadow. – CMCDragonkai Mar 08 '18 at 05:57
I'm sure the generated hash would be correct, and your problem would be in something else. But, to verify it, you could generate the hash using an independent implementation of the hash (such as one of the other answers to this question). – Craig McQueen Mar 09 '18 at 01:28
It looks like if SALT is not specified, mkpasswd generates a random one for you. Otherwise, mkpasswd expects the SALT to be between 8 and 16 bytes inclusively. – Nicholas Sushkin Apr 24 '19 at 15:33
You should probably also put a space before this command to prevent your password from being stored in your bash history. – Gregory Arenius Aug 12 '19 at 23:54

score 38 · Accepted Answer · edited Jan 28 '16 at 02:14

38

Python:

python -c 'import crypt; print crypt.crypt("password", "$6$saltsalt$")'

(for python 3 and greater it will be print(crypt.crypt(..., ...)))

Perl:

perl -e 'print crypt("password","\$6\$saltsalt\$") . "\n"'

edited Jan 28 '16 at 02:14

slm

answered Sep 30 '14 at 11:33

Scyld de Fraud

2

For Python 2.7 and 3.3: python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))' – Cristian Ciupitu Sep 30 '14 at 11:44
@scyid thank, I dodn't know the $6$salt trick !! – Archemar Sep 30 '14 at 11:50
1

@CristianCiupitu: crypt.mksalt() is not in Python 2.7, only 3.3 onwards. – Craig McQueen Jun 17 '15 at 05:59
4

Remember that command line arguments are visible to other users via ps. When working with real passwords, don't use these commands as written; instead turn them into a script that reads the password from stdin or a file. – Jander Jun 17 '15 at 07:46
@CraigMcQueen, python-2.7.5-16.fc20.x86_64 from my Fedora 20 installation has it. – Cristian Ciupitu Jun 17 '15 at 17:56
1

@CristianCiupitu: Python 2.7.8 in Ubuntu 14.10 doesn't have it. The Python 2 docs don't document it. The Python 3 docs say it's new in 3.3. – Craig McQueen Jun 17 '15 at 22:55
1

@CraigMcQueen, yes, you're right, it seems it has been backported in the python package for Fedora 20. – Cristian Ciupitu Jun 18 '15 at 13:25

2 Answers2