LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-07-2001, 02:07 PM   #1
jawad bokhari
LQ Newbie
 
Registered: Nov 2001
Location: pakistan
Distribution: red hat linux
Posts: 3

Rep: Reputation: 0
Question Linux password encryption


What is the exact and complete algorithm used by linux to encrypt it's user's password that are stored in /etc/shadow file.

Encrypted password is of length 34 bytes and it takes a salt of 8 chars.

Is there any java/ C++ implementation of such an algorithm.
 
Old 11-07-2001, 02:09 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,628

Rep: Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658
Most newer distro's use MD5.
 
Old 11-07-2001, 02:39 PM   #3
jawad bokhari
LQ Newbie
 
Registered: Nov 2001
Location: pakistan
Distribution: red hat linux
Posts: 3

Original Poster
Rep: Reputation: 0
Question linux password encryption

How does linux encrypt it's user's passowrd that are stored in /etc/shadow and whose length is 34 bytes and which use salt of 8 bytes.

Is it really MD5?
But isn't MD5 generates an output of 16 bytes?
 
Old 11-07-2001, 03:45 PM   #4
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,628

Rep: Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658
"Linux" doesn't encrypt its passwd's with a certain algorithm - it's a distro by distro choice. As I said MOST newer distro's use MD5. What distro are you using? From the sounds of it you are probably using MD5. Do the passwords start with '$1$'? If so they are MD5.


MD5 RFC - http://www.cis.ohio-state.edu/rfc/rfc1321.txt
 
Old 11-08-2001, 02:33 AM   #5
jawad bokhari
LQ Newbie
 
Registered: Nov 2001
Location: pakistan
Distribution: red hat linux
Posts: 3

Original Poster
Rep: Reputation: 0
Unhappy linux password encryption

yes, password starts with $1$. then there's 8 chars salt and then a $ separator and then remaining 22 bytes.
If it's MD5, then how can it be 34 bytes long like this.

As acccording to MD5 rfc, it generates an output of 128-bit always.

Sorry but, what do you exactly mean by distro? Do you mean the distributor by this?
Then i am using Red Hat 7.1

thanks
 
Old 01-09-2002, 03:11 PM   #6
jha0147
LQ Newbie
 
Registered: Jan 2002
Posts: 1

Rep: Reputation: 0
Hi

Did you find any Java API implementation for

8 char salt MD5 encryption

as done in /etc/shadow


please let me know
 
Old 03-24-2011, 06:37 PM   #7
wooggle
LQ Newbie
 
Registered: Mar 2011
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by jha0147 View Post
Hi

Did you find any Java API implementation for

8 char salt MD5 encryption

as done in /etc/shadow


please let me know
Hi,

I know this is like an extremely old post (I just like to take my time OK!), however, I spent hours looking for a way to do this. I use NSS Switch to control my domains. So I needed a way for my users to change their passwords themselves, without actually having to SSH into the server and use passwd.

The best way to obtain the result (in MySQL anyway) is to select the user and their password field, build the result in PHP.

Code:
<?php
$new = explode("$", '$1$SALTGOESHERE$12345678912345678912/');
$existingPattern = '$'.$new[1].'$'.$new[2].'$';
print crypt($_GET['ormethodforpassword'],$existingPattern);
?>
You could modify this to grab the password using fgets() or something similar, but my example uses mysql strings, because its far faster at pulling user passwords and a lot less work.

To explain what this does: -

1. $new => once you have the password you want split it into an array
2. $existingPattern=> We only want the encryption type (in this case MD5 (.. or $1$)) and the Salt (... or $SALTGOESHERE$)the last part is the encrypted password, which, lets face it, we'll never decrypt.
3. use the PHP script in a url to print the new crypted password using the pattern type and your new password.

* NOTE: always use single quotes (') otherwise PHP will think that you're referring to system variables because of the dollar sign ($).

Then you can use something like get_url in Java to read the output of the script from a URL. Don't forget to htpasswd protect the URL or use session management or something similar. You could also write the output into a JSON or XML using PHP, for use in your application. I can't go into too much detail about how you would secure this between a Java Applet/Application and the URL, as I use pure PHP to interact with my user database in Unix, and as the scripts and server are on the localhost I don't need to echo out anything.

All done did.
 
Old 03-25-2011, 08:41 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Wooggle, welcome to LQ. I am glad to see that you were able to find information of value in the archives and want to thank you for providing new insights and suggestions.

I would, however, like to recommend that in the future to please start a new thread instead of appending to an old one, even though old threads are not typically closed off. As you noticed, this one is particularly old and necro-posting is generally discouraged in the forums. If you would like to reference the original content, the best way to do so would be to place a link to it in your post.
 
1 members found this post helpful.
Old 06-29-2012, 09:23 AM   #9
manoj jasawat
LQ Newbie
 
Registered: May 2010
Posts: 11
Blog Entries: 1

Rep: Reputation: 0
you can use this link for Encrypt and Decrypt MD5 Password-

Quote:
Originally Posted by Noway2 View Post
Wooggle, welcome to LQ. I am glad to see that you were able to find information of value in the archives and want to thank you for providing new insights and suggestions.

I would, however, like to recommend that in the future to please start a new thread instead of appending to an old one, even though old threads are not typically closed off. As you noticed, this one is particularly old and necro-posting is generally discouraged in the forums. If you would like to reference the original content, the best way to do so would be to place a link to it in your post.

http://www.hash-cracker.com/hash.php#anchor
 
Old 07-06-2012, 09:49 AM   #10
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,458

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Actually, in this case, I did find the complete thread to be useful. But, having said that, it is often even more useful to start a new thread which cites one or more other articles from the same or different forums. Now, you can very easily summarize the latest information from everywhere.

The problem with "opening an old thread," of course, is that the information might well be stale, but who really stops to look at the posting-dates for what now appears to be a "new" thread? Not many. Not me. Hence, creating a new thread with citations: the thread is "new or recent," as users typically expect it to be; the citations are understood to be older.

In closing: one thing that isn't mentioned at all in the thread is that, in my experience, most "shops" of any size have long-ago switched their authentication practices to the use of a common authority, i.e. LDAP (nee OpenDirectory), or Kerberos. Both of which are well-supported in Linux thanks to the magic of PAM = Pluggable Authentication Modules. If you want people to have common passwords, or you want a consistent, enterprise-wide way of managing both authentication and authorization, without going absolutely insane, "thais is how." It generally obviates the need for the technique shown in this thread ... replacing it with something much better. Every OS, and every web-server that I know of, supports this strategy.

Last edited by sundialsvcs; 07-06-2012 at 09:51 AM.
 
Old 07-17-2012, 05:37 PM   #11
sharadchhetri
Member
 
Registered: Aug 2008
Location: INDIA
Distribution: Redhat,Debian,Suse,Windows
Posts: 179

Rep: Reputation: 23
Quote:
Originally Posted by sundialsvcs View Post
Actually, in this case, I did find the complete thread to be useful. But, having said that, it is often even more useful to start a new thread which cites one or more other articles from the same or different forums. Now, you can very easily summarize the latest information from everywhere.

The problem with "opening an old thread," of course, is that the information might well be stale, but who really stops to look at the posting-dates for what now appears to be a "new" thread? Not many. Not me. Hence, creating a new thread with citations: the thread is "new or recent," as users typically expect it to be; the citations are understood to be older.

In closing: one thing that isn't mentioned at all in the thread is that, in my experience, most "shops" of any size have long-ago switched their authentication practices to the use of a common authority, i.e. LDAP (nee OpenDirectory), or Kerberos. Both of which are well-supported in Linux thanks to the magic of PAM = Pluggable Authentication Modules. If you want people to have common passwords, or you want a consistent, enterprise-wide way of managing both authentication and authorization, without going absolutely insane, "thais is how." It generally obviates the need for the technique shown in this thread ... replacing it with something much better. Every OS, and every web-server that I know of, supports this strategy.

To know what exactly the distro is using encryption.

check this file.
cat /etc/login.defs

in Red Hat it is MD5
in Ubuntu SHA512
In suse blowfish.

You can change the bydefault encryption method also in your system.

I have taken a section /etc/login.defs from my ubuntu.
I hope it will give you clear picture
It is in below quote


Quote:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no

#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512

 
1 members found this post helpful.
Old 07-17-2012, 05:45 PM   #12
sharadchhetri
Member
 
Registered: Aug 2008
Location: INDIA
Distribution: Redhat,Debian,Suse,Windows
Posts: 179

Rep: Reputation: 23
Quote:
Originally Posted by sharadchhetri View Post
To know what exactly the distro is using encryption.

check this file.
cat /etc/login.defs

in Red Hat it is MD5
in Ubuntu SHA512
In suse blowfish.

You can change the bydefault encryption method also in your system.

I have taken a section /etc/login.defs from my ubuntu.
I hope it will give you clear picture
It is in below quote
One more eg. how to encrypt text word with different algorithm in command line

Quote:
root@tuxworld:~# echo test|sha
sha1pass sha1sum sha224sum sha256sum sha384sum sha512sum shadowconfig shasum
root@tuxworld:~# echo test|sha1sum
4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 -

root@tuxworld:~# echo test|md5
md5pass md5sum md5sum.textutils
root@tuxworld:~# echo test|md5sum
d8e8fca2dc0f896fd7cb4cb0031ba249 -

root@tuxworld:~#
 
Old 08-23-2012, 12:46 AM   #13
bigfootw
LQ Newbie
 
Registered: Jan 2009
Posts: 3

Rep: Reputation: 0
Most Linux distros do not have a command line tool to directly invoke crypt() call to create a password. But you can do this using perl or python.

$ python -c 'import crypt; print crypt.crypt("yourpassword","$1$yoursalt")'

Use '$1$' to prefix the salt if your system use MD5, this is just for consistency purpose.

As for the algorithm, I believe crypt man page should give you enough info, worth to start from there.
 
Old 08-23-2012, 08:26 PM   #14
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
You can certainly call the SHAXXXsum etc algos directly.
Just FYI though looking at my Centos6 box, it looks like default is SHA512; MD5 was default for RHEL5.
Just checked a RHEL6 box: SHA512 again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Encryption morningkiran Linux - Security 2 10-10-2004 08:17 AM
password encryption is changing inetw Linux - Security 7 10-04-2004 10:00 PM
WEP encryption password fatrandy13 Linux - Wireless Networking 14 09-15-2004 03:39 PM
password encryption Lanmate Linux - Security 2 12-26-2003 05:15 AM
Password encryption???: shakeeb Linux - General 4 11-07-2003 08:50 PM


All times are GMT -5. The time now is 12:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration