Manually generate password for /etc/shadow

As many commenters have pointed out. Specifying your salt, let alone your password, is a security problem, because it makes reusing salts possible. Reuse of salts makes rainbow table attacks on your password hashes much more feasible, and it also makes it obvious which users share passwords with each other (isolating and highlighting likely less secure passwords such as 123456 or qwertyuiop).

You should not specify your password on the command line (because it is saved in shell history, and even if it's deleted, it could still reside for some time in the free space of your disk, especially if you're using a COW filesystem). You should not manually specify your salt at all. You can achieve this by simply using:

openssl passwd -6

(-6 specifies SHA512. Use -5 for SHA256. Avoid -1 for MD5, if possible.)

OpenSSL will ask you for your password via stdin twice, and generate a random salt for each input.

Currently, I don't have enough reputation to comment.I created this password generator tool . It uses method no 1 described by Rahul Patil.

Expanding a bit on the criticisms of u150825 and Gert van den Berg, I found myself needing something relatively flexible for different situations with different automation systems. I decided I would add to my own little library of useful scripts and write this. It uses only native libraries from python 2.7+, and works on python3 just as well.

You can pick it up here if you like. It's just as easy to drop this in your environment if you're needing to use it a lot, http hosted or whatever, and you can run it on any platform using whatever the default python interpreter you've got available to you is, pretty reliably counting on it working.

It defaults to prompting using getpass with prompts on stderr (allowing easy capture of stdout), but if you pipe a string to it it'll just reap from stdin. Depending on how you're going about this, it may not be showing up in command history, either, so just be cognizant of what it is you're working with. I like having a flexible tool that'll behave in an expected way, rather than having to rely on packages or python one-lining my way to victory 10 different ways.

The openssl and chpasswd -e pair didn't work in my case in RHEL6. Combining openssl passwd and usermod -p command did the job.

Generate the hash value of the password along with the salt value:

$ openssl passwd -1  -salt 5RPVAd clear-text-passwd43

$1$5RPVAd$vgsoSANybLDepv2ETcUH7.

Then, copy the encrypted string to usermod. Make sure to wrap it with single quotes.

$ usermod -p '$1$5RPVAd$vgsoSANybLDepv2ETcUH7.' root

Check it out in shadow file.

$ grep root /etc/shadow

root:$1$5RPVAd$vgsoSANybLDepv2ETcUH7.:17774:0:99999:7:::

None of the current methods are acceptable to me - They either pass the password on the command line (which ends up in my shell's history), require the installation of additional utilities (python3, makepasswd), use hard-coded salts or use old hashing techniques.

This method would generate SHA-512 hashes after prompting for the password and would use a random salt.

A method utilising Python 2 without any non-standard libraries:

python2 -c 'import crypt, getpass,os,base64; print crypt.crypt(getpass.getpass(), "$6$"+base64.b64encode(os.urandom(16))+"$")'

To do it without a prompt: (This will leave your password in the command history)

python2 -c 'import crypt, os,base64; print crypt.crypt("MyPassword", "$6$"+base64.b64encode(os.urandom(16))+"$")'

Yet another method to generate passwords, is using the openssl tool.

Generate MD5 passwords

openssl passwd -1 -salt SaltSalt SecretPassword
# output: $1$SaltSalt$FSYmvnuDuSP883uWgYBXW/

Generate DES passwords

openssl passwd -crypt -salt XR SuprScrt
# output: XR1dOp2EVMph2

This solution has the following benefits:

• Nothing additional to install
• Does not store the password in your shell history
• Generates a random salt for you
• Uses a modern, strong hashing algorithm, SHA-512

• Re-prompts for the password to avoid mistakes.

  $ python3 -c "from getpass import getpass; from crypt import *; 
      p=getpass(); print('n'+crypt(p, METHOD_SHA512)) 
      if p==getpass('Please repeat: ') else print('nFailed repeating.')"
  

References

• How to create a SHA-512 hashed password for /etc/shadow?
• SHA512 with salt

For those without Debian based systems. Python3 works just as well.

python3 -c 'import crypt, getpass; print(crypt.crypt(getpass.getpass()))'

getpass.getpass() will prompt you for a password on the command line.

On Ubuntu 12.04, there is mkpasswd (from the whois package): Overfeatured front end to crypt(3)

mkpasswd  -m sha-512 -S saltsalt -s <<< YourPass

Where:

• -m = Compute the password using the TYPE method. If TYPE is help then the available methods are printed.
• -S = salt used.

E.g.

$ mkpasswd -m help

-s = Read password from stdin

You can use following commands for the same:

Method 1 (md5, sha256, sha512)

openssl passwd -6 -salt xyz  yourpass

Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512 (recommended)

Method 2 (md5, sha256, sha512)

mkpasswd --method=SHA-512 --stdin

The option --method accepts md5, sha-256 and sha-512

Method 3 (des, md5, sha256, sha512)

As @tink suggested, we can update the password using chpasswd using:

echo "username:password" | chpasswd 

Or you can use the encrypted password with chpasswd. First generate it using this:

perl -e 'print crypt("YourPasswd", "salt", "sha512"),"n"'

Then later you can use the generated password to update /etc/shadow:

echo "username:encryptedPassWd" | chpasswd -e

The encrypted password we can also use to create a new user with this password, for example:

useradd -p 'encryptedPassWd'  username