What is used to create the shadow password hash??

helptonewbie · 11-27-2007, 10:38 AM

Hello,
When you create a new user thats able to login etc etc, you also create there password for them, this obviously works with the users password being hashed irreversibly, then every time the user logs in they give their password, this is hashed again and then compared against the hash in the password file. What i'm asking is what command/function creates this hashed password that goes into the shadow file. eg you can do similar things with echo 'password'|md5sum
OR
echo 'password'|sha1sum

i'm guessing this shadow password hash is created in a similar fashion and i'd like to know what it is? So i can create my own user adding script that adds new users into a file of my own. I know to change a password you just use the passwd command but i'm trying more to be able to retrieve the output.

Hope someone knows thanks regards

ps-i've done an strace of 'passwd' but this didn't make anything to obvious in the method used

matthewg42 · 11-27-2007, 11:13 AM

The makepasswd program knows how. I think it's typical these days to use md5 to do the hashing, but there is a little extra data added, so called "salt", to make it a little more difficult to brute force.

In the shadow file, if the password has field starts with $1$ it is an MD5 password. Without this I believe the crypt function is used. If you discover others (e.g. using SHA1), please post them here.

Here's how to get a hash from a password using makepasswd:

Code:

echo "mypassword" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'

matthewg42 · 11-27-2007, 11:14 AM

You may also be interested in this post which presents a possible method to script auto-generation of passwords:

http://www.linuxquestions.org/questi...8/#post2969056

bigrigdriver · 11-27-2007, 11:15 AM

When a password is set up, md5crypt does the work of hashing the password. If md5crypt can be called from a script, then it should be possible to send it the password in plain text, and get the hash in return.

ron7000 · 11-27-2007, 11:26 AM

are you asking about 'pwconv' ?
that converts the /etc/passwd file to /etc/shadow, or creates the shadow file if it does not exist.

try a man on:
pwconv
pwunconv
pwck

helptonewbie · 11-27-2007, 03:08 PM

thanks guys that was interesting stuff, ron7000 no i wasn't aksing that and in a charge to try and find this out before coming to the forum i'd actually as it turns out already looked into that stuff today. bigrig, unfortunetly i seem to be unable to call the md5crypt, and matt, i also didn't have the makepassword command...makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'....your rite in saying it starting $1$ so it must be md5 with a salt, but there must still be some way in getting this output for myself?

cheers for replies so far

PS-i don't seem to have command pwgen either

matthewg42 · 11-27-2007, 05:18 PM

You could install makepasswd...?

helptonewbie · 11-28-2007, 04:49 PM

hey,
i've messed around with the makepasswd command, but it doesn't create the password the same as what goes into the actual shadow file, thats what i'm trying to achieve, for instance if the password of a user was "password", i want to be able to create exactly the same hash thats already in the shadow file for that user

matthewg42 · 11-28-2007, 10:27 PM

You have to use the --crypt-md5 option to get the right type. Most mainstream distros use the MD5 hash type (although I dare say there are a few which use others).

You can spot MD5 password hashes because they start with $1$. Here is an example which reads the password from standard input:

Code:

% echo "mypassword" | makepasswd --clearfrom=- --crypt-md5
mypassword $1$ihlrowCw$45PvXmJvoJksKqNkoFi8s/

Note that if you run the command more than once, you will get different outputs... this is the salt in action.

helptonewbie · 11-30-2007, 06:38 AM

Hi Matt,
This would not be the command for me as i'm trying to replicate exactly or find out how for instance the password shadowing works then, if the hashed password is different every time then the only way to make it the same is to use the same salt the system does? This salt must be kept somewhere or how can the system authenticate a user on login, if the password entered by a user is changed to a hash thats different every time for whatever reason, then how can the hash i'm guessing that is compared to the hash in the shadow file for authentication work correctly?

iambrucelee · 05-11-2009, 07:46 PM

The Salt is in the hash itself, and is a random salt everytime.

you can use many tools, including openssl to generate the hash.

Here is the breakdown of the entire hash:

the first $1 means that it is an md5 hash. the 2nd $XXXXXX is the salt. the 3rd $XXXXXXX is the hash.

so for example, if I use openssl, and use matthewg42's example

I can type

openssl passwd -1 -salt ihlrowCw

enter in the passord, and it will spit out the exact same hash.

(the -1) means md5

man sslpasswd will give you more options.

grub-md5-crypt is a nice tool for generating md5 hashes also...

vitoreiji · 08-17-2009, 03:02 AM

@iambrucelee Thanks, that was most helpful! Exactly what I was looking for.