How To Generate a /etc/passwd password hash via the Command Line on Linux

Mattias Geniar, Monday, October 26, 2015

If you're looking to generate the /etc/shadow hash for a password for a Linux user (for instance: to use in a Puppet manifest), you can easily generate one at the command line.

$ openssl passwd -1
Password:
Verifying - Password:
$1$3JUKmV3R$vZVeb51f1t6QZUecwuRHX0

If you want to pass along a salt to your password;

$ openssl passwd -1 -salt yoursalt
Password:
$1$yoursalt$5WA5NN0quMJ62v5LCu8kj1

The above examples all prompt your password, so it won't be visible in the history of the server or in the process listing. If you want to directly pass the password as a parameter, use one of these examples.

$ openssl passwd -1
Password:
Verifying - Password:
$1$rr7ygbpo$v.zYy4J3/B73NF/qsrDZJ0

$ echo 'joske' | openssl passwd -1 -stdin
$1$8HOL7Lpu$wYO7x5kUDw39GfQaVqelP/

By default, this will use an md5 algoritme for your password hash. The openssl tool only allows for those md5 hashes, so if you're looking for a more secure sha256 hash you can use this python script as shared by Red Hat.

$ python -c "import crypt; print crypt.crypt('joske')"
$6$0LNgXS95nJv2B6hm$BRNf00hyT5xGNRnsLSSn3xDPXIs6l34g2kpex4mh0w/fvGz4MYs02qWjVU5NrbVktoNVNRsHU6MUTUua4J5nO0

There you go!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stéphan Schamp Tuesday, October 27, 2015 at 18:10 (permalink)

Don’t want your password to be logged or visible in ps output?

Use an environment variable:

PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"
# PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"&
# ps fauxwww | grep 'python -c'
root       62804  0.0  0.0 139044  4972 pts/1    R    17:05   0:00  |       \_ python -c import crypt; import os; print crypt.crypt(os.environ['PASS'])

tada, no leaking of password via ps output!

To go one step further and disable logging to history:

set +o history
PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"
set -o history

On some systems it may be possible to use a space before your command to exempt it from being added to the history.
This depends in your HISTIGNORE environment variable.

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *