Oct 1, 2009

Linux: hash algorithms for passwords inside /etc/shadow

You read the headline and you are sure that this is easy to answer?
I was thinking the same: Just a MD5-hash inside this /etc/shadow file.

But this is not true anymore:
You can use several hash algorithms inside /etc/shadow like
  • MD5
  • blowfish
  • DES
  • SHA-256
  • SHA-512
Inside /etc/shadow you can see the following:
schroff:$1$<String1>$<String2>:0:99999:7:::
$1$ stays for MD5, $2a$ for blowfish, $5$ for SHA-256, $6$ for SHA-512. The <String1> contains a salt and <String2> the hashed password.
The other values can be easily interpreted (and changed) with the following command:
schroff@hades:$ chage -l schroff
Letzte Passwortänderung : Feb 01, 2009
Passwort läuft ab : nie
Passwort inaktiv : nie
Benutzerzugang läuft ab : nie
Minimale Anzahl der Tage zwischen Passwortänderungen : 0
Maximale Anzahl der Tage zwischen Passwortänderungen : 99999
Anzahl Tage, an denen vor Passwortablauf gewarnt wird : 7
And where can the hash algorithm be changed? This depends on the linux you are using:
  • /etc/pam.d/common-password (Debian)
  • /etc/default/password (SUSE/Novell)
Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):
echo "mypasswd" | makepasswd --crypt-md5
$1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.

But this will not work via copy and paste inside /etc/shadow ;-(
To change password via script some linux distribution can use:
echo oracle:mypasswd | chpasswd

or
echo -n mypasswd | passwd --stdin oracle

No comments:

Post a Comment