Home / server / Questions / 87874
In Process
Egon Willighagen
Asked: 2009-11-25 08:45:48 +0800 CST

How should someone create an encrypted password for /etc/shadow?

  • 772

I am setting up a new account on a Linux box for Subversion repository access, and can send the password to the new user. However, I think there was a command line utility for this new user to encrypt the password he likes into a format I can copy/paste directly into the /etc/shadow file.

What was the full command that this new user should run on the console (e.g. Bash) to create such an encrypted password?

UPDATE: the user will not be allowed to log in on the machine, and the account will merely be used for svn+ssh:// access. Therefore, the user cannot change it himself.

bash

6 Answers

  1. the user can execute on his computer something like:

    echo "password"|openssl passwd -1 -stdin

    and then send you the output.

    • 16

  2. The format of the password in shadow can vary. You could set it to be MD5 or the good old DES3 or... You are good sending your user a password and forcing her to change it in the first login (# chage -d 0 username)

    • 2

  3. Instead of having them encrypt the password and send it to you, why not just tell them to type:

    passwd

    It will do everything you want with the added advantage that they can change their passwords without any extra work for you.

    EDIT: According to this, there's supposedly a command called makepassword that you can get for Debian/Ubuntu.

    • 1

  4. /etc/passwd and /etc/shadow are very easy to tokenize with the usual command line tools (i.e. grep, awk, sed, tr, etc).

    What becomes interesting is the actual password hash field in /etc/shadow, its prefix tells you how the password has been encrypted. From man (5) shadow :

    The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 characters alphabet a thru z, A
thru Z, 0 thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another
(not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.

    How it was encrypted broadly depends on how old the installed OS happens to be. Its important to pay special attention to the second field in /etc/shadow.

    You should make every effort to follow whatever hash the system is using, be it DES, MD5, etc, since its so easy to detect.

    • 0

  5. Why not SU into to the user and run passwd?

    • 0

  6. Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):

    echo "mypasswd" | makepasswd --crypt-md5
$1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.

    But this will not work via copy and paste inside /etc/shadow To change password via script in some linux distributions, you can use:

    echo oracle:mypasswd | chpasswd

    or

    echo -n mypasswd | passwd --stdin oracle
    • 0