Manually generate password for /etc/shadow
I need to manually edit /etc/shadow to change the root password inside of a virtual machine image. Is there a command-line tool that takes a password and generates an /etc/shadow compatible password hash on standard out?
10 Answers 10
You can use following commands for the same:
Method 1 (md5, sha256, sha512)
openssl passwd -6 -salt xyz yourpass
Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512 (recommended)
Method 2 (md5, sha256, sha512)
mkpasswd --method=SHA-512 --stdin
The option —method accepts md5 , sha-256 and sha-512
Method 3 (des, md5, sha256, sha512)
As @tink suggested, we can update the password using chpasswd using:
echo "username:password" | chpasswd
Or you can use the encrypted password with chpasswd . First generate it using this:
perl -e 'print crypt("YourPasswd", "salt", "sha512"),"\n"'
Then later you can use the generated password to update /etc/shadow :
echo "username:encryptedPassWd" | chpasswd -e
The encrypted password we can also use to create a new user with this password, for example:
useradd -p 'encryptedPassWd' username
When using chpasswd -e , make sure to use single quotes on the string you echo in; otherwise, if there are $ or other special characters, they will not get treated literally.
Note that make of these will end up in your shell history. I would use openssl passwd -1 which 1) doesn’t end up there and 2) generates a random salt for you (which doesn’t end up in shell history, neither).
For a SHA-512 hash: python3 -c ‘import crypt; print(crypt.crypt(«test», crypt.mksalt(crypt.METHOD_SHA512)))’ — from related ServerFault question
Method 1) and 2) above uses MD5 for hashing. MD5 isn’t considered best practise anymore as there has been hash collisions. Use method 3) or the one described in unix.stackexchange.com/a/198906/10911.
On Ubuntu 12.04, there is mkpasswd (from the whois package): Overfeatured front end to crypt(3)
mkpasswd -m sha-512 -S saltsalt -s
- -m = Compute the password using the TYPE method. If TYPE is help then the available methods are printed.
- -S = salt used.
$ mkpasswd -m help -s = Read password from stdin
No matter what, generated passwords from mkpasswd copied into the /etc/passwd always fail. Is there a way to check if the hash created by mkpasswd is correct?
@To마SE: It is somtimes useful to control the salt. I have used it when testing hash generation of passwords for web app where I was storing the salt in a separate store. E.g. hashed password in MySQL DB, and per user salt in Redis.
This solution has the following benefits:
- Nothing additional to install
- Does not store the password in your shell history
- Generates a random salt for you
- Uses a modern, strong hashing algorithm, SHA-512
- Re-prompts for the password to avoid mistakes.
$ python3 -c "from getpass import getpass; from crypt import *; \ p=getpass(); print('\n'+crypt(p, METHOD_SHA512)) \ if p==getpass('Please repeat: ') else print('\nFailed repeating.')"
References
None of the current methods are acceptable to me - They either pass the password on the command line (which ends up in my shell's history), require the installation of additional utilities ( python3 , makepasswd ), use hard-coded salts or use old hashing techniques.
This method would generate SHA-512 hashes after prompting for the password and would use a random salt.
A method utilising Python 2 without any non-standard libraries:
python2 -c 'import crypt, getpass,os,base64; print crypt.crypt(getpass.getpass(), "$6$"+base64.b64encode(os.urandom(16))+"$")'
To do it without a prompt: (This will leave your password in the command history)
python2 -c 'import crypt, os,base64; print crypt.crypt("MyPassword", "$6$"+base64.b64encode(os.urandom(16))+"$")'
To avoid leaving the password in the command history, you can set (for bash, at least) the environment variable HISTCONTROL to 'ignorespace', and then add a leading space in front of the command.
@adam820: That is one way. It would still it in the ps output in the fraction of a second that the command is running. (The safest remains to use the version that prompts for the password)
Also with the openssl command you don't have to use a hard-coded salt nor pass the password on the command line, try e.g. this variant: openssl passwd -6 -salt $(head -c18 /dev/urandom | openssl base64)
@maxschlepzig Just leaving the "-salt" option off seems to result in a random salt as well. mkpasswd has other options, like specifying the number of rounds as well. Python3's crypt.mksalt also allows those to be specified. (I had a use case where Python 3 was unavailable, which is why this answer exists)
@GertvandenBerg, the point is: the rationale in your first paragraph of your answer is incorrect. Counter example openssl : it doesn't require you to pass the password on the command line, it usually doesn't require the installation of additional utilities (i.e. which system doesn't have the openssl binary pre-installed but python ..) and it doesn't use hard-coded salts nor old hashing techniques.
For those without Debian based systems. Python3 works just as well.
python3 -c 'import crypt, getpass; print(crypt.crypt(getpass.getpass()))'
getpass.getpass() will prompt you for a password on the command line.
For some reason, using crypt.mksalt does not work when generating passwords for /etc/shadow . But @Alex131089's method works!
Just wasted 1.5h trying this method, before I noticed the comment. Can somebody remove it? I can't downvote yet.
@MichałF it seems like this wasn't working because the salting wasn't done correctly. Thanks for pointing this out. I've removed the salt because the salting is dependent on OS and it's not practical to account for all ranges of OS in my answer. You should be using Method 1 outlined by @RahulPatil because it allows you to use salting and openssl is a pretty universal tool.
Yet another method to generate passwords, is using the openssl tool.
openssl passwd -1 -salt SaltSalt SecretPassword # output: $1$SaltSalt$FSYmvnuDuSP883uWgYBXW/
openssl passwd -crypt -salt XR SuprScrt # output: XR1dOp2EVMph2
How is this different from method 1 in Rahul Patil's answer? Note that the old DES-based password hashing algorithm definitely should not be used! For one thing, it only supports passwords of up to eight bytes, which is woefully inadequate these days.
Quoting Snowden: "Assume your adversary is capable of one trillion guesses per second." With a not totally unreasonable 70-characters charset and a fully random password, that's 576 seconds -- less than ten minutes. Even against a less capable but determined adversary, it is woefully inadequate.
Thanks for being the only answer showing how to encrypt DES passwords! Very useful for trying to override the root password for an IP camera firmware.
The openssl and chpasswd -e pair didn't work in my case in RHEL6. Combining openssl passwd and usermod -p command did the job.
Generate the hash value of the password along with the salt value:
$ openssl passwd -1 -salt 5RPVAd clear-text-passwd43 $1$5RPVAd$vgsoSANybLDepv2ETcUH7.
Then, copy the encrypted string to usermod. Make sure to wrap it with single quotes.
$ usermod -p '$1$5RPVAd$vgsoSANybLDepv2ETcUH7.' root
Check it out in shadow file.
$ grep root /etc/shadow root:$1$5RPVAd$vgsoSANybLDepv2ETcUH7.:17774:0:99999:7.
Expanding a bit on the criticisms of u150825 and Gert van den Berg, I found myself needing something relatively flexible for different situations with different automation systems. I decided I would add to my own little library of useful scripts and write this. It uses only native libraries from python 2.7+, and works on python3 just as well.
You can pick it up here if you like. It's just as easy to drop this in your environment if you're needing to use it a lot, http hosted or whatever, and you can run it on any platform using whatever the default python interpreter you've got available to you is, pretty reliably counting on it working.
It defaults to prompting using getpass with prompts on stderr (allowing easy capture of stdout), but if you pipe a string to it it'll just reap from stdin. Depending on how you're going about this, it may not be showing up in command history, either, so just be cognizant of what it is you're working with. I like having a flexible tool that'll behave in an expected way, rather than having to rely on packages or python one-lining my way to victory 10 different ways.
Generate passwords and encrypt/decrypt content in Linux
OpenSSL is one of the utilities available with all major Linux distributions. We can use the same to encrypt and decrypt passwords in Linux to protect sensitive data.
Generate Random Passwords
We can utilities like mkpasswd or pwgen to generate random passwords if needed:
# generates multiple 8-character passwords pwgen # generates single random password makepasswd # generates multiple 12-character passwords pwgen 12 makepasswd --chars=12 # generates specified 12-character passwords, say 5 pwgen 12 5 makepasswd --chars=12 --count=5
Generate Encrypted/Hashed Passwords
We can generated encrypted passwords with utilities like makepasswd :
# generates 12-character password and encrypted password with crypt algorithm makepasswd --chars=12 --crypt # generates 12-character password and encrypted password with crypt algorithm + salt makepasswd --chars=12 --crypt --cryptsalt=20 # generates 12-character password and encrypted md5 password makepasswd --chars=12 --crypt-md5
With openssl , we can generated hashed-passwords for supplied password as input:
# generates hashed password with crypt algorithm openssl passwd -crypt my_password # generates hashed password with crypt algorithm + salt openssl passwd -crypt -salt my_salt my_password # generates hashed md5 password openssl password -1 my_password # generates hashed sha-256/512 password openssl password -5 my_password
Encrypting Contents with OpenSSL
Lets say we have a file with some sensitive content. We can encrypt sensitive content, say “my_content” with openssl with different encryption algorithms in the below manner:
# encrypt string with algorithm pbkdf2 with randomly generated salt and input password echo "my_content" | openssl enc -pbkdf2 -a -salt -pass pass:my_password # decrypt string (encoded as above) # note: just add parameter -d to above openssl parameters echo "bXlfY29udGVudAo=" | openssl enc -pbkdf2 -a -d -salt -pass pass:my_password # encrypt string with algorithm aes-256-cbc with randomly generated salt and input password echo "my_content" | openssl enc -aes-256-cbc -a -salt -pass pass:my_password # decrypt string (encoded as above) # note: just add parameter -d to above openssl parameters echo "U2FsdGVkX19MdDInWumh31tKJoqR5HQwSXlxj3NiRC8 wp-block-code"> cloud_user@d7e5dc06581c:~$ echo "my_content" | openssl enc -pbkdf2 -a -salt -pass pass:my_password bXlfY29udGVudAo= cloud_user@d7e5dc06581c:~$ echo "bXlfY29udGVudAo=" | openssl enc -pbkdf2 -a -d -salt -pass pass:my_password my_content cloud_user@d7e5dc06581c:~$ echo "my_content" | openssl enc -aes-256-cbc -a -salt -pass pass:my_password *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. U2FsdGVkX19MdDInWumh31tKJoqR5HQwSXlxj3NiRC8= cloud_user@d7e5dc06581c:~$ echo "U2FsdGVkX19MdDInWumh31tKJoqR5HQwSXlxj3NiRC8 jp-post-flair" >
Is it possible to set user password as MD5 hash in Centos?
I want to set a user's password as MD5 hash value in Centos. I mean I don't know the password, but I have the hash MD5 value (md5sum). Is it possible? Detailed explanation: New password I want to set: 123 MD5 value of '123' is: dak37yd2o9d8m2ype9n8283up1m2 I want to run a command like this:
echo dak37yd2o9d8m2ype9n8283up1m2 | passwd --stdin -md5 myuser
The hash you have given is not a valid md5 hash. MD5 outputs 128 bits, or 32 hexadecimal chars. You have supplied 29. The hash of the string 123 is 202cb962ac59075b964b07152d234b70 .
1 Answer 1
A word of warning: As I am sure you have heard many a time, md5 is a broken hash function. Storing passwords hashed with it is only slightly better than plaintext.
After much researching, including trying things out on my own system, I was unable to find a way of using an existing hash that has not been salted. If you still have access to the password, or access to someone who knows it, you can use chpasswd -e to generate a salted hash.
If you have a salted hash, add the user to your system normally, if you haven't done so already. Pick any password you like, as we will overwrite it later. Open the /etc/shadow file, and edit the line starting with the username of your user. Replace the second field (after the first colon, and before the second) with this:
If the hash is unsalted, and you cannot gain access to the password through normal means, using something like hashcat to break it for you could be a viable option.