Manually generate password for /etc/shadow
I need to manually edit /etc/shadow to change the root password inside of a virtual machine image. Is there a command-line tool that takes a password and generates an /etc/shadow compatible password hash on standard out?
10 Answers 10
You can use following commands for the same:
Method 1 (md5, sha256, sha512)
openssl passwd -6 -salt xyz yourpass
Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512 (recommended)
Method 2 (md5, sha256, sha512)
mkpasswd --method=SHA-512 --stdin
The option —method accepts md5 , sha-256 and sha-512
Method 3 (des, md5, sha256, sha512)
As @tink suggested, we can update the password using chpasswd using:
echo "username:password" | chpasswd
Or you can use the encrypted password with chpasswd . First generate it using this:
perl -e 'print crypt("YourPasswd", "salt", "sha512"),"\n"'
Then later you can use the generated password to update /etc/shadow :
echo "username:encryptedPassWd" | chpasswd -e
The encrypted password we can also use to create a new user with this password, for example:
useradd -p 'encryptedPassWd' username
When using chpasswd -e , make sure to use single quotes on the string you echo in; otherwise, if there are $ or other special characters, they will not get treated literally.
Note that make of these will end up in your shell history. I would use openssl passwd -1 which 1) doesn’t end up there and 2) generates a random salt for you (which doesn’t end up in shell history, neither).
For a SHA-512 hash: python3 -c ‘import crypt; print(crypt.crypt(«test», crypt.mksalt(crypt.METHOD_SHA512)))’ — from related ServerFault question
Method 1) and 2) above uses MD5 for hashing. MD5 isn’t considered best practise anymore as there has been hash collisions. Use method 3) or the one described in unix.stackexchange.com/a/198906/10911.
On Ubuntu 12.04, there is mkpasswd (from the whois package): Overfeatured front end to crypt(3)
mkpasswd -m sha-512 -S saltsalt -s
- -m = Compute the password using the TYPE method. If TYPE is help then the available methods are printed.
- -S = salt used.
$ mkpasswd -m help -s = Read password from stdin
No matter what, generated passwords from mkpasswd copied into the /etc/passwd always fail. Is there a way to check if the hash created by mkpasswd is correct?
@To마SE: It is somtimes useful to control the salt. I have used it when testing hash generation of passwords for web app where I was storing the salt in a separate store. E.g. hashed password in MySQL DB, and per user salt in Redis.
This solution has the following benefits:
- Nothing additional to install
- Does not store the password in your shell history
- Generates a random salt for you
- Uses a modern, strong hashing algorithm, SHA-512
- Re-prompts for the password to avoid mistakes.
$ python3 -c "from getpass import getpass; from crypt import *; \ p=getpass(); print('\n'+crypt(p, METHOD_SHA512)) \ if p==getpass('Please repeat: ') else print('\nFailed repeating.')"
References
None of the current methods are acceptable to me - They either pass the password on the command line (which ends up in my shell's history), require the installation of additional utilities ( python3 , makepasswd ), use hard-coded salts or use old hashing techniques.
This method would generate SHA-512 hashes after prompting for the password and would use a random salt.
A method utilising Python 2 without any non-standard libraries:
python2 -c 'import crypt, getpass,os,base64; print crypt.crypt(getpass.getpass(), "$6$"+base64.b64encode(os.urandom(16))+"$")'
To do it without a prompt: (This will leave your password in the command history)
python2 -c 'import crypt, os,base64; print crypt.crypt("MyPassword", "$6$"+base64.b64encode(os.urandom(16))+"$")'
To avoid leaving the password in the command history, you can set (for bash, at least) the environment variable HISTCONTROL to 'ignorespace', and then add a leading space in front of the command.
@adam820: That is one way. It would still it in the ps output in the fraction of a second that the command is running. (The safest remains to use the version that prompts for the password)
Also with the openssl command you don't have to use a hard-coded salt nor pass the password on the command line, try e.g. this variant: openssl passwd -6 -salt $(head -c18 /dev/urandom | openssl base64)
@maxschlepzig Just leaving the "-salt" option off seems to result in a random salt as well. mkpasswd has other options, like specifying the number of rounds as well. Python3's crypt.mksalt also allows those to be specified. (I had a use case where Python 3 was unavailable, which is why this answer exists)
@GertvandenBerg, the point is: the rationale in your first paragraph of your answer is incorrect. Counter example openssl : it doesn't require you to pass the password on the command line, it usually doesn't require the installation of additional utilities (i.e. which system doesn't have the openssl binary pre-installed but python ..) and it doesn't use hard-coded salts nor old hashing techniques.
For those without Debian based systems. Python3 works just as well.
python3 -c 'import crypt, getpass; print(crypt.crypt(getpass.getpass()))'
getpass.getpass() will prompt you for a password on the command line.
For some reason, using crypt.mksalt does not work when generating passwords for /etc/shadow . But @Alex131089's method works!
Just wasted 1.5h trying this method, before I noticed the comment. Can somebody remove it? I can't downvote yet.
@MichałF it seems like this wasn't working because the salting wasn't done correctly. Thanks for pointing this out. I've removed the salt because the salting is dependent on OS and it's not practical to account for all ranges of OS in my answer. You should be using Method 1 outlined by @RahulPatil because it allows you to use salting and openssl is a pretty universal tool.
Yet another method to generate passwords, is using the openssl tool.
openssl passwd -1 -salt SaltSalt SecretPassword # output: $1$SaltSalt$FSYmvnuDuSP883uWgYBXW/
openssl passwd -crypt -salt XR SuprScrt # output: XR1dOp2EVMph2
How is this different from method 1 in Rahul Patil's answer? Note that the old DES-based password hashing algorithm definitely should not be used! For one thing, it only supports passwords of up to eight bytes, which is woefully inadequate these days.
Quoting Snowden: "Assume your adversary is capable of one trillion guesses per second." With a not totally unreasonable 70-characters charset and a fully random password, that's 576 seconds -- less than ten minutes. Even against a less capable but determined adversary, it is woefully inadequate.
Thanks for being the only answer showing how to encrypt DES passwords! Very useful for trying to override the root password for an IP camera firmware.
The openssl and chpasswd -e pair didn't work in my case in RHEL6. Combining openssl passwd and usermod -p command did the job.
Generate the hash value of the password along with the salt value:
$ openssl passwd -1 -salt 5RPVAd clear-text-passwd43 $1$5RPVAd$vgsoSANybLDepv2ETcUH7.
Then, copy the encrypted string to usermod. Make sure to wrap it with single quotes.
$ usermod -p '$1$5RPVAd$vgsoSANybLDepv2ETcUH7.' root
Check it out in shadow file.
$ grep root /etc/shadow root:$1$5RPVAd$vgsoSANybLDepv2ETcUH7.:17774:0:99999:7.
Expanding a bit on the criticisms of u150825 and Gert van den Berg, I found myself needing something relatively flexible for different situations with different automation systems. I decided I would add to my own little library of useful scripts and write this. It uses only native libraries from python 2.7+, and works on python3 just as well.
You can pick it up here if you like. It's just as easy to drop this in your environment if you're needing to use it a lot, http hosted or whatever, and you can run it on any platform using whatever the default python interpreter you've got available to you is, pretty reliably counting on it working.
It defaults to prompting using getpass with prompts on stderr (allowing easy capture of stdout), but if you pipe a string to it it'll just reap from stdin. Depending on how you're going about this, it may not be showing up in command history, either, so just be cognizant of what it is you're working with. I like having a flexible tool that'll behave in an expected way, rather than having to rely on packages or python one-lining my way to victory 10 different ways.
/etc/shadow – HowTo: Generate Password Hash in Linux
Linux stores users’ encrypted passwords, as well as other security information, such as account or password expiration values, in the /etc/shadow file.
Someday you may need to edit the /etc/shadow file manually to set or change ones password.
Unlike the /etc/passwd that is readable for everyone, the /etc/shadow file MUST be readable by the ROOT user only.
For this you would have to generate password hash in the format compatible with /etc/shadow .
Cool Tip: Want to create a USER with ROOT privileges? This can be very dangerous! But if you insist… Read more →
There is no need to install any additional tools as it can be easily done from the Linux command line using Python.
Generate Password Hash for /etc/shadow
The $ID indicates the type of encryption, the $SALT is a random (up to 16 characters) string and $ENCRYPTED is a password’s hash.
Hash Type | ID | Hash Length |
---|---|---|
MD5 | $1 | 22 characters |
SHA-256 | $5 | 43 characters |
SHA-512 | $6 | 86 characters |
Cool Tip: Got a hash but don’t know what type is it? Find out how to easily identify different hash types! Read more →
Use the below commands from the Linux shell to generate hashed password for /etc/shadow with the random salt.
Generate MD5 password hash:
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$1\$%s\$' % randomsalt)" --- $1$YjOzcqrf$Zqx4sx5CQRuEIFCdOLAJV0
Generate SHA-256 password hash:
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$5\$%s\$' % randomsalt)" --- $5$LgsPuaeR$OCtm.3tpbS/wyOZAIy6dsVNP4x0GyohyGebkIz15e88
Generate SHA-512 password hash:
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)" --- $6$HMpFTkgb$WqzuqMqYbjWsXFrOtvZPo.1gIkH6HiXJGr4QPv.k26jE.3mE.sdf3dds[. ]
Hope these commands will be helpful.
Just don’t forget to replace MySecretPassword with YourSecretPassword.
As you can see, it is really very easy to generate hashes for the /etc/shadow from the Linux command line using Python.
Particularly for the reason that the Python is installed by default on the most Linux distributions.