How are the hashes in /etc/shadow generated?

A couple of things to think about (you'll have to read the sources in the Linux coreutils and glibc2 to confirm)

  • The output of sha512sum appears to be printable hex notation whereas the output stored in the shadow file appears to be base64 so they will be different.

  • I think that the sha512sum in the shadow file has been passed through the hash function more than once ( #define ROUNDS_DEFAULT 5000 ) whereas the sha512sum just passes the 'file' through the hash once.

  • There may be padding added by one or both commands to align the data it may be different.


From the shadow(5) man-page:

encrypted password

Refer to crypt(3) for details on how this string is interpreted.

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

A password field which starts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

From the crypt(3) man-page:

crypt() is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of akey search.

key is a user's typed password.

salt is a two-character string chosen from the set [a–zA–Z0–9./]. This string is used to perturb the algorithm in one of 4096 different ways.

By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained. This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all zeros). The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose content is overwritten by each call.


If you want to create the hash in the same way that the /etc/shadow file stores it, use the following command:

mkpasswd --method=sha-512 --salt=YOUR_SALT PASSWORD