Home / server / Questions / 330069
Accepted
Belmin Fernandez
Asked: 2011-11-12 03:14:37 +0800 CST

How to create an SHA-512 hashed password for shadow?

  • 772

The previous SF questions I've seen have lead to answers that produce MD5 hashed password.

Does anyone have a suggestion on to produce an SHA-512 hashed password? I'd prefer a one liner instead of a script but, if a script is the only solution, that's fine as well.

Update

Replacing previous py2 versions with this one:

python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"
linux authentication encryption md5

20 Answers

  1. Best Answer

    Edit: Please note this answer is 10+ years old.

    Here's a one liner:

    python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")'

    Python 3.3+ includes mksalt in crypt, which makes it much easier (and more secure) to use:

    python3 -c 'import crypt; print(crypt.crypt("test", crypt.mksalt(crypt.METHOD_SHA512)))'

    If you don't provide an argument to crypt.mksalt (it could accept crypt.METHOD_CRYPT, ...MD5, SHA256, and SHA512), it will use the strongest available.

    The ID of the hash (number after the first $) is related to the method used:

    • 1 -> MD5
    • 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
    • 5 -> SHA-256 (since glibc 2.7)
    • 6 -> SHA-512 (since glibc 2.7)

    I'd recommend you look up what salts are and such and as per smallclamgers comment the difference between encryption and hashing.

    Update 1: The string produced is suitable for shadow and kickstart scripts.
    Update 2: Warning. If you are using a Mac, see the comment about using this in python on a mac where it doesn't seem to work as expected.

    On macOS you should not use the versions above, because Python uses the system's version of crypt() which does not behave the same and uses insecure DES encryption. You can use this platform independent one liner (requires passlib – install with pip3 install passlib):

    python3 -c 'import passlib.hash; print(passlib.hash.sha512_crypt.hash("test"))'
    • 75

  2. On Debian you can use mkpasswd to create passwords with different hashing algorithms suitable for /etc/shadow. It is included in the package whois (according to apt-file)

    mkpasswd -m sha-512
mkpasswd -m md5

    to get a list of available hashing algoritms type:

    mkpasswd -m help

    HTH

    • 40

  3. Using grub-crypt

    Usage: grub-crypt [OPTION]...
Encrypt a password.

-h, --helpPrint this message and exit
-v, --version           Print the version information and exit
--md5                   Use MD5 to encrypt the password
--sha-256               Use SHA-256 to encrypt the password
**--sha-512             Use SHA-512 to encrypt the password (default)**
    • 25

  4. Here's a short C code to generate the SHA-512 password on various Unix type OSes.

    File: passwd-sha512.c

    #define _XOPEN_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  if ( argc < 3 || (int) strlen(argv[2]) > 16 ) {
    printf("usage: %s password salt\n", argv[0]);
    printf("--salt must not larger than 16 characters\n");
    return;
  }

  char salt[21];
  sprintf(salt, "$6$%s$", argv[2]);

  printf("%s\n", crypt((char*) argv[1], (char*) salt));
  return;
}

    to compile:

    /usr/bin/gcc -lcrypt -o passwd-sha512 passwd-sha512.c

    usage:

    passwd-sha512 <password> <salt (16 chars max)>
    • 14

  5. Surprising that no answer suggests the simple openssl passwd command with the -6 option. Maybe it wasn't available yet in 2011?

    If you don't care providing the password on the command-line (risking it staying in the command history), then you can do:

    openssl passwd -6 YourPassword

    It will generate the salt, and output a line like this:

    $6$/57kpVAA/kuPUtzV$Ugxo0RTL2uXCvU7WH43c1qn0quMy2ve.qiBYJPG75tFgTN8gI5Jp/FYPXFOzIsASqVTqM42kjN2805VYLHKzm1

    With the stdin option, it can also read the password from STDIN (or a file), so you don't leave it behind in the history:

    openssl passwd -6 -stdin
    • 7

  6. Perl one-liner solution to generate SHA-512 hashed password:

    perl -le 'print crypt "desiredPassword", "\$6\$customSalt\$"'

    Worked on RHEL 6

    • 4

  7. Why not perform the following check and modification to Centos/RHEL machines to ensure that all password hashing for /etc/shadow is done with sha512. Then you can just set your passworkd normally with the passwd command 

    #Set stronger password hasing
/usr/sbin/authconfig --test | grep sha512 > /dev/null
if [ $? -ne 0 ]; then
echo "Configuring sha512 password hashing"
sudo /usr/sbin/authconfig --enableshadow --passalgo=sha512 --updateall
fi
    • 2

  8. Here is a one-liner that uses shell commands to create a SHA-512 hashed password with a random salt:

    [root@host] mkpasswd -m sha-512 MyPAsSwOrD $(openssl rand -base64 16 | tr -d '+=' | head -c 16)

    Notes

    1. You may need to install the "whois" package (Debian, SuSE, etc.), which provides "mkpasswd".
    2. See crypt(3) for details on the format of lines in "/etc/shadow".
    • 2

  9. Read the comment below to learn about security implications of this answer

    For those of the Ruby mindset here is a one-liner:

    'password'.crypt('$6$' + rand(36 ** 8).to_s(36))
    • 2

  10. All examples will be using SHA-512, <password> as password placeholder and <salt> as salt placeholder.

    mkpasswd

    Note: mkpasswd binary is installed via the package whois on Debian / Ubuntu only. On other Linux distribution such as ArchLinux, Fedora, CentOS, openSUSE, etc. mkpasswd is provided by the expect package but is an totally different utility which is available as expect_mkpasswd on Debian / Ubuntu. whois of all other Linux distro doesn't include mkpasswd but the source (C lang) can be found on the original repository https://github.com/rfc1036/whois.

    # With a random password and random salt
mkpasswd -m sha-512
# With a random random salt
mkpasswd -m sha-512 '<password>'
# Choosing both password and salt
mkpasswd -m sha-512 '<password>' '<salt>'
# Read password from stdin to avoid leaking it in shell command history
mkpasswd -m sha-512 --stdin

    OpenSSL

    # With a random random salt
openssl passwd -6 '<password>'
# Choosing both password and salt
openssl passwd -6 --salt '<salt>' '<password>'
# Read password from stdin to avoid leaking it in shell command history
openssl passwd -6 -stdin
openssl passwd -6

    Ruby

    # With a random password and random salt
ruby -e 'require "securerandom"; puts SecureRandom.alphanumeric(20).crypt("$6$" + rand(36 ** 8).to_s(36))'
# With a random random salt
ruby -e 'puts "<password>".crypt("$6$" + rand(36 ** 8).to_s(36))'
# Choosing both password and salt
ruby -e 'puts "<password>".crypt("$6$<salt>")'
# Read password from stdin to avoid leaking it in shell command history
ruby -e 'require "io/console"; puts IO::console.getpass.crypt("$6$" + rand(36 ** 8).to_s(36))'

    Note: for those who complains that Random#rand is a PRNG, you can use the secure SecureRandom#rand but it's not very important is rand is used only to generate the salt which is publicly available in the hash at the end.

    ruby -e 'require "securerandom"; puts "<password>".crypt("$6$" + SecureRandom.rand(36 ** 8).to_s(36))'

    Perl

    # Choosing both password and salt
perl -le 'print crypt "<password>", "\$6\$<salt>\$"'

    Python

    Requires Python >= 3.3

    # With a random random salt
python -c 'import crypt; print(crypt.crypt("<password>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Choosing both password and salt
python -c 'import crypt; print(crypt.crypt("<password>", "$6$<salt>"))'
# Read password from stdin to avoid leaking it in shell command history
python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))

    grub-crypt

    Note: The grub package doesn't include grub-crypt in many distros.

    # With a random random salt
# Read password from stdin to avoid leaking it in shell command history
grub-crypt --sha-512
    • 1