Manually generate password for /etc/shadow
I need to manually edit
/etc/shadow to change the root password inside of a virtual machine image.
Is there a command-line tool that takes a password and generates an
/etc/shadow compatible password hash on standard out?
You can use following commands for the same:
Method 1 (md5, sha256, sha512)
openssl passwd -6 -salt xyz yourpass
-1 will generate an MD5 password,
-5 a SHA256 and
-6 SHA512 (recommended)
Method 2 (md5, sha256, sha512)
mkpasswd --method=SHA-512 --stdin
Method 3 (des, md5, sha256, sha512)
As @tink suggested, we can update the password using
echo "username:password" | chpasswd
Or you can use the encrypted password with
chpasswd. First generate it using this:
perl -e 'print crypt("YourPasswd", "salt", "sha512"),"n"'
Then later you can use the generated password to update
echo "username:encryptedPassWd" | chpasswd -e
The encrypted password we can also use to create a new user with this password, for example:
useradd -p 'encryptedPassWd' username
On Ubuntu 12.04, there is mkpasswd (from the whois package):
Overfeatured front end to crypt(3)
mkpasswd -m sha-512 -S saltsalt -s <<< YourPass
-m= Compute the password using the TYPE method. If TYPE is help then the available methods are printed.
-S= salt used.
$ mkpasswd -m help -s = Read password from stdin
For those without Debian based systems. Python3 works just as well.
python3 -c 'import crypt, getpass; print(crypt.crypt(getpass.getpass()))'
getpass.getpass() will prompt you for a password on the command line.
This solution has the following benefits:
- Nothing additional to install
- Does not store the password in your shell history
- Generates a random salt for you
- Uses a modern, strong hashing algorithm, SHA-512
Re-prompts for the password to avoid mistakes.
$ python3 -c "from getpass import getpass; from crypt import *; p=getpass(); print('n'+crypt(p, METHOD_SHA512)) if p==getpass('Please repeat: ') else print('nFailed repeating.')"
Yet another method to generate passwords, is using the
Generate MD5 passwords
openssl passwd -1 -salt SaltSalt SecretPassword # output: $1$SaltSalt$FSYmvnuDuSP883uWgYBXW/
Generate DES passwords
openssl passwd -crypt -salt XR SuprScrt # output: XR1dOp2EVMph2
None of the current methods are acceptable to me – They either pass the password on the command line (which ends up in my shell’s history), require the installation of additional utilities (
makepasswd), use hard-coded salts or use old hashing techniques.
This method would generate SHA-512 hashes after prompting for the password and would use a random salt.
A method utilising Python 2 without any non-standard libraries:
python2 -c 'import crypt, getpass,os,base64; print crypt.crypt(getpass.getpass(), "$6$"+base64.b64encode(os.urandom(16))+"$")'
To do it without a prompt: (This will leave your password in the command history)
python2 -c 'import crypt, os,base64; print crypt.crypt("MyPassword", "$6$"+base64.b64encode(os.urandom(16))+"$")'
chpasswd -e pair didn’t work in my case in RHEL6. Combining
openssl passwd and
usermod -p command did the job.
Generate the hash value of the password along with the salt value:
$ openssl passwd -1 -salt 5RPVAd clear-text-passwd43 $1$5RPVAd$vgsoSANybLDepv2ETcUH7.
Then, copy the encrypted string to usermod. Make sure to wrap it with single quotes.
$ usermod -p '$1$5RPVAd$vgsoSANybLDepv2ETcUH7.' root
Check it out in shadow file.
$ grep root /etc/shadow root:$1$5RPVAd$vgsoSANybLDepv2ETcUH7.:17774:0:99999:7:::
Expanding a bit on the criticisms of u150825 and Gert van den Berg, I found myself needing something relatively flexible for different situations with different automation systems. I decided I would add to my own little library of useful scripts and write this. It uses only native libraries from python 2.7+, and works on python3 just as well.
You can pick it up here if you like. It’s just as easy to drop this in your environment if you’re needing to use it a lot, http hosted or whatever, and you can run it on any platform using whatever the default python interpreter you’ve got available to you is, pretty reliably counting on it working.
It defaults to prompting using getpass with prompts on stderr (allowing easy capture of stdout), but if you pipe a string to it it’ll just reap from stdin. Depending on how you’re going about this, it may not be showing up in command history, either, so just be cognizant of what it is you’re working with. I like having a flexible tool that’ll behave in an expected way, rather than having to rely on packages or python one-lining my way to victory 10 different ways.
Currently, I don’t have enough reputation to comment.I created this password generator tool . It uses method no 1 described by Rahul Patil.
As many commenters have pointed out. Specifying your salt, let alone your password, is a security problem, because it makes reusing salts possible. Reuse of salts makes rainbow table attacks on your password hashes much more feasible, and it also makes it obvious which users share passwords with each other (isolating and highlighting likely less secure passwords such as 123456 or qwertyuiop).
You should not specify your password on the command line (because it is saved in shell history, and even if it’s deleted, it could still reside for some time in the free space of your disk, especially if you’re using a COW filesystem). You should not manually specify your salt at all. You can achieve this by simply using:
openssl passwd -6
-6 specifies SHA512. Use
-5 for SHA256. Avoid
-1 for MD5, if possible.)
OpenSSL will ask you for your password via stdin twice, and generate a random salt for each input.