0

I want to add a user using useradd and specify an encrypted password using the -p flag. I learned that the unix system that I am on uses a SHA512 hash for storing passwords in the /etc/shadow file. When I look in /etc/pam.d/common-password, it says this:

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# here are the per-package modules (the "Primary" block)
password        [success=1 default=ignore]      pam_unix.so sha512

I just need to know what the salt is, so that I can generate the hash and use it with my

useradd ... ... -p INSERT_HASHED_PASS_HERE

Fuad
  • 101
  • The salt is stored with the hashed password. For example, create the hashed password with mkpasswd -s $SALT -m sha-512 with any value you wish for $SALT. – user4556274 Jun 06 '17 at 21:26
  • I don't have mkpasswd on this machine. Also if the salt is stored with the password, but when adding the user, I don't specify the salt, how will it know the salt? because useradd does not take a salt argument. – Fuad Jun 06 '17 at 21:28
  • Your parameter "INSERT_HASHED_PASS_HERE" will be a long string concatenating the hash type (sha512 = 6), the salt, and the hashed, salted password. It is all included in the -p argument. – user4556274 Jun 06 '17 at 21:32
  • The thing I'm confused about is how do I know what salt to use? Do I generate a new salt every time I create a new user? – Fuad Jun 06 '17 at 21:42
  • Use any salt you want (within the length parameters). Ideally, you would use a different truly random salt for each user. – user4556274 Jun 06 '17 at 21:44

2 Answers2

2

Salt is a value that is [ideally] generated randomly which introduces some variety to passwords in the case that two users happen to have the same password. Using a random salt a user could have the same password on multiple systems but it would not be obvious. What you are trying to do seems to circumvent the purpose of salting a hash.

I presume you are trying to generate a password hash once and use it in multiple places for automation purposes.

There are a couple of utilities that can be used to generate a password hash when passed an arbitrary string as a salt. However, as I said, you really negate the purpose of the salt in the first place.

LJKims
  • 429
  • I am trying to create a new user, by using the useradd command. The useradd command takes in an encrypted password, but it does not ask for the salt. Does that mean I have to generate the salt manually each time, and then put it into the shadow file? – Fuad Jun 06 '17 at 21:33
  • See: https://superuser.com/questions/822079/etc-shadow-in-old-format-where-is-salt-stored?answertab=active#tab-top – LJKims Jun 06 '17 at 21:39
  • As stated above your hashed password would include the salt. If you REALLY needed to pass around the hashed value an easy way to do this would be to generate the password with 'passwd' on an active system and copy the generated password from /etc/shadow. Again, this is not a great idea because it would be obvious that this user has the same password on each system. – LJKims Jun 06 '17 at 21:40
  • Yes, the salt is some value that YOU generate. It could even be a meaningful string/sentence. It's only purpose is to change the output of the hash function for the same input string (password). – LJKims Jun 06 '17 at 21:43
  • https://en.wikipedia.org/wiki/Salt_(cryptography) – LJKims Jun 06 '17 at 21:44
  • I will just call the passwd command and have it do all this for me. Thanks. – Fuad Jun 06 '17 at 21:55
0

It's always better to leave this to the passwd command to create and add user password in /etc/shadow file. Also as said in previous answer, salt should be random to keep hash unique.

But if you still want the command to generate password hash, you can use following one:

Option 1:

openssl passwd -6 -salt $(openssl rand -base64 12) yourpassword

Here:

  • -6 indicate sha-512 encryption algo.
  • openssl rand - generates the random salt
  • yourpassword is your password to hash.

Option 2:

mkpasswd --method=SHA-512 --stdin

This should work.

References:

Generate Linux hash Password

manually-generate-password

Rajendra
  • 101