If you’re looking to generate the /etc/shadow hash for a password for a Linux user (for instance: to use in a Puppet manifest), you can easily generate one at the command line.
$ openssl passwd -1
Password:
Verifying - Password:
$1$3JUKmV3R$vZVeb51f1t6QZUecwuRHX0
If you want to pass along a salt to your password;
$ openssl passwd -1 -salt yoursalt
Password:
$1$yoursalt$5WA5NN0quMJ62v5LCu8kj1
The above examples all prompt your password, so it won’t be visible in the history of the server or in the process listing. If you want to directly pass the password as a parameter, use one of these examples.
$ openssl passwd -1
Password:
Verifying - Password:
$1$rr7ygbpo$v.zYy4J3/B73NF/qsrDZJ0
$ echo 'joske' | openssl passwd -1 -stdin
$1$8HOL7Lpu$wYO7x5kUDw39GfQaVqelP/
By default (with -1), this uses the md5-based BSD password algorithm. That was the only option in the old openssl versions, but modern openssl (1.1.0 and up) can generate the stronger SHA-256 ($5$) and SHA-512 ($6$) hashes too, with the -5 and -6 flags. For an /etc/shadow-compatible SHA-512 hash, that’s all you need:
$ echo 'joske' | openssl passwd -6 -stdin
$6$Chs6OW5oXjVy/123$wYO7x5kUDw39GfQaVqelP/...
There you go!
If you’re on an older openssl that doesn’t support -6, you used to be able to fall back to Python’s crypt module:
$ python2 -c "import crypt; print crypt.crypt('joske')"
$6$0LNgXS95nJv2B6hm$BRNf00hyT5xGNRnsLSSn3xDPXIs6l34g2kpex4mh0w/fvGz4MYs02qWjVU5NrbVktoNVNRsHU6MUTUua4J5nO0
Note that this was Python 2 syntax (print without parentheses), and the crypt module was deprecated in Python 3.11 and removed entirely in Python 3.13, so it’s no longer an option there. Stick with openssl passwd -6 (or mkpasswd --method=sha-512 from the whois/mkpasswd package) on modern systems. Red Hat also has a knowledgebase article on SHA-2 shadow hashes
(subscription required).