How to create an SHA-512 hashed password for shadow?
The previous SF questions I've seen have lead to answers that produce MD5 hashed password.
Does anyone have a suggestion on to produce an SHA-512 hashed password? I'd prefer a one liner instead of a script but, if a script is the only solution, that's fine as well.
Update
Replacing previous py2 versions with this one:
python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"
Solution 1:
Here's a one liner:
python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")'
Python 3.3+ includes mksalt in crypt, which makes it much easier (and more secure) to use:
python3 -c 'import crypt; print(crypt.crypt("test", crypt.mksalt(crypt.METHOD_SHA512)))'
If you don't provide an argument to crypt.mksalt (it could accept crypt.METHOD_CRYPT, ...MD5, SHA256, and SHA512), it will use the strongest available.
The ID of the hash (number after the first $) is related to the method used:
- 1 -> MD5
- 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
- 5 -> SHA-256 (since glibc 2.7)
- 6 -> SHA-512 (since glibc 2.7)
I'd recommend you look up what salts are and such and as per smallclamgers comment the difference between encryption and hashing.
Update 1: The string produced is suitable for shadow and kickstart scripts.
Update 2: Warning. If you are using a Mac, see the comment about using this in python on a mac where it doesn't seem to work as expected.
On macOS you should not use the versions above, because Python uses the system's version of crypt() which does not behave the same and uses insecure DES encryption. You can use this platform independent one liner (requires passlib – install with pip3 install passlib):
python3 -c 'import passlib.hash; print(passlib.hash.sha512_crypt.hash("test"))'
Solution 2:
On Debian you can use mkpasswd to create passwords with different hashing algorithms suitable for /etc/shadow. It is included in the package whois (according to apt-file)
mkpasswd -m sha-512
mkpasswd -m md5
to get a list of available hashing algoritms type:
mkpasswd -m help
HTH
Solution 3:
Best Answer: grub-crypt
Usage: grub-crypt [OPTION]...
Encrypt a password.
-h, --helpPrint this message and exit
-v, --version Print the version information and exit
--md5 Use MD5 to encrypt the password
--sha-256 Use SHA-256 to encrypt the password
**--sha-512 Use SHA-512 to encrypt the password (default)**
Solution 4:
Here's a short C code to generate the SHA-512 password on various Unix type OSes.
File: passwd-sha512.c
#define _XOPEN_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
if ( argc < 3 || (int) strlen(argv[2]) > 16 ) {
printf("usage: %s password salt\n", argv[0]);
printf("--salt must not larger than 16 characters\n");
return;
}
char salt[21];
sprintf(salt, "$6$%s$", argv[2]);
printf("%s\n", crypt((char*) argv[1], (char*) salt));
return;
}
to compile:
/usr/bin/gcc -lcrypt -o passwd-sha512 passwd-sha512.c
usage:
passwd-sha512 <password> <salt (16 chars max)>
Solution 5:
Surprising that no answer suggests the simple openssl passwd command with the -6 option. Maybe it wasn't available yet in 2011?
If you don't care providing the password on the command-line (risking it staying in the command history), then you can do:
openssl passwd -6 YourPassword
It will generate the salt, and output a line like this:
$6$/57kpVAA/kuPUtzV$Ugxo0RTL2uXCvU7WH43c1qn0quMy2ve.qiBYJPG75tFgTN8gI5Jp/FYPXFOzIsASqVTqM42kjN2805VYLHKzm1
With the stdin option, it can also read the password from STDIN (or a file), so you don't leave it behind in the history:
openssl passwd -6 -stdin