What is the exact and complete algorithm used by linux to encrypt it's user's password that are stored in /etc/shadow file.

Encrypted password is of length 34 bytes and it takes a salt of 8 chars.

Is there any java/ C++ implementation of such an algorithm.

Most newer distro's use MD5.

How does linux encrypt it's user's passowrd that are stored in /etc/shadow and whose length is 34 bytes and which use salt of 8 bytes.

Is it really MD5?
But isn't MD5 generates an output of 16 bytes?

"Linux" doesn't encrypt its passwd's with a certain algorithm - it's a distro by distro choice. As I said MOST newer distro's use MD5. What distro are you using? From the sounds of it you are probably using MD5. Do the passwords start with '$1$'? If so they are MD5.


MD5 RFC - http://www.cis.ohio-state.edu/rfc/rfc1321.txt

yes, password starts with $1$. then there's 8 chars salt and then a $ separator and then remaining 22 bytes.
If it's MD5, then how can it be 34 bytes long like this.

As acccording to MD5 rfc, it generates an output of 128-bit always.

Sorry but, what do you exactly mean by distro? Do you mean the distributor by this?
Then i am using Red Hat 7.1

thanks

Hi

Did you find any Java API implementation for

8 char salt MD5 encryption

as done in /etc/shadow


please let me know

Hi,

I know this is like an extremely old post (I just like to take my time OK!), however, I spent hours looking for a way to do this. I use NSS Switch to control my domains. So I needed a way for my users to change their passwords themselves, without actually having to SSH into the server and use passwd.

The best way to obtain the result (in MySQL anyway) is to select the user and their password field, build the result in PHP.

You could modify this to grab the password using fgets() or something similar, but my example uses mysql strings, because its far faster at pulling user passwords and a lot less work.

To explain what this does: -

1. $new => once you have the password you want split it into an array
2. $existingPattern=> We only want the encryption type (in this case MD5 (.. or $1$)) and the Salt (... or $SALTGOESHERE$)the last part is the encrypted password, which, lets face it, we'll never decrypt.
3. use the PHP script in a url to print the new crypted password using the pattern type and your new password.

* NOTE: always use single quotes (') otherwise PHP will think that you're referring to system variables because of the dollar sign ($).

Then you can use something like get_url in Java to read the output of the script from a URL. Don't forget to htpasswd protect the URL or use session management or something similar. You could also write the output into a JSON or XML using PHP, for use in your application. I can't go into too much detail about how you would secure this between a Java Applet/Application and the URL, as I use pure PHP to interact with my user database in Unix, and as the scripts and server are on the localhost I don't need to echo out anything.

All done did.

Wooggle, welcome to LQ. I am glad to see that you were able to find information of value in the archives and want to thank you for providing new insights and suggestions.

I would, however, like to recommend that in the future to please start a new thread instead of appending to an old one, even though old threads are not typically closed off. As you noticed, this one is particularly old and necro-posting is generally discouraged in the forums. If you would like to reference the original content, the best way to do so would be to place a link to it in your post.

1 members found this post helpful.

http://www.hash-cracker.com/hash.php#anchor

Actually, in this case, I did find the complete thread to be useful. But, having said that, it is often even more useful to start a new thread which cites one or more other articles from the same or different forums. Now, you can very easily summarize the latest information from everywhere.

The problem with "opening an old thread," of course, is that the information might well be stale, but who really stops to look at the posting-dates for what now appears to be a "new" thread? Not many. Not me. Hence, creating a new thread with citations: the thread is "new or recent," as users typically expect it to be; the citations are understood to be older.

In closing: one thing that isn't mentioned at all in the thread is that, in my experience, most "shops" of any size have long-ago switched their authentication practices to the use of a common authority, i.e. LDAP (nee OpenDirectory), or Kerberos. Both of which are well-supported in Linux thanks to the magic of PAM = Pluggable Authentication Modules. If you want people to have common passwords, or you want a consistent, enterprise-wide way of managing both authentication and authorization, without going absolutely insane, "thais is how." It generally obviates the need for the technique shown in this thread ... replacing it with something much better. Every OS, and every web-server that I know of, supports this strategy.

To know what exactly the distro is using encryption.

check this file.
cat /etc/login.defs

in Red Hat it is MD5
in Ubuntu SHA512
In suse blowfish.

You can change the bydefault encryption method also in your system.

I have taken a section /etc/login.defs from my ubuntu.
I hope it will give you clear picture
It is in below quote

1 members found this post helpful.

One more eg. how to encrypt text word with different algorithm in command line

Most Linux distros do not have a command line tool to directly invoke crypt() call to create a password. But you can do this using perl or python.

$ python -c 'import crypt; print crypt.crypt("yourpassword","$1$yoursalt")'

Use '$1$' to prefix the salt if your system use MD5, this is just for consistency purpose.

As for the algorithm, I believe crypt man page should give you enough info, worth to start from there.

You can certainly call the SHAXXXsum etc algos directly.
Just FYI though looking at my Centos6 box, it looks like default is SHA512; MD5 was default for RHEL5.
Just checked a RHEL6 box: SHA512 again