How To Generate a /etc/passwd password hash via the Command Line on Linux

Mattias Geniar, Monday, October 26, 2015

If you're looking to generate the /etc/shadow hash for a password for a Linux user (for instance: to use in a Puppet manifest), you can easily generate one at the command line.

$ openssl passwd -1
Password:
Verifying - Password:
$1$3JUKmV3R$vZVeb51f1t6QZUecwuRHX0

If you want to pass along a salt to your password;

$ openssl passwd -1 -salt yoursalt
Password:
$1$yoursalt$5WA5NN0quMJ62v5LCu8kj1

The above examples all prompt your password, so it won't be visible in the history of the server or in the process listing. If you want to directly pass the password as a parameter, use one of these examples.

$ openssl passwd -1
Password:
Verifying - Password:
$1$rr7ygbpo$v.zYy4J3/B73NF/qsrDZJ0

$ echo 'joske' | openssl passwd -1 -stdin
$1$8HOL7Lpu$wYO7x5kUDw39GfQaVqelP/

By default, this will use an md5 algoritme for your password hash. The openssl tool only allows for those md5 hashes, so if you're looking for a more secure sha256 hash you can use this python script as shared by Red Hat.

$ python -c "import crypt; print crypt.crypt('joske')"
$6$0LNgXS95nJv2B6hm$BRNf00hyT5xGNRnsLSSn3xDPXIs6l34g2kpex4mh0w/fvGz4MYs02qWjVU5NrbVktoNVNRsHU6MUTUua4J5nO0

There you go!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.


Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stéphan Schamp Tuesday, October 27, 2015 at 18:10 - Reply

Don’t want your password to be logged or visible in ps output?

Use an environment variable:

PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"
# PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"&
# ps fauxwww | grep 'python -c'
root       62804  0.0  0.0 139044  4972 pts/1    R    17:05   0:00  |       \_ python -c import crypt; import os; print crypt.crypt(os.environ['PASS'])

tada, no leaking of password via ps output!

To go one step further and disable logging to history:

set +o history
PASS="joske" python -c "import crypt; import os; print crypt.crypt(os.environ['PASS'])"
set -o history

On some systems it may be possible to use a space before your command to exempt it from being added to the history.
This depends in your HISTIGNORE environment variable.


Leave a Reply

Your email address will not be published. Required fields are marked *