2

I want to create a few Linux user on my computer to test JohnTheRipper against different kind of password (including length, charset and encryption hash method). How can I easily specify which hashing algorithm to use when creating a new user ? I know that the file /etc/login.defs contains the variable ENCRYPT_METHOD which is set to SHA512 by default on many Debian system but I would know if it is possible to use another encryption hash without modifying this file.

ps: I tried to modify this file, rebooting and create a new user with command adduser but the encryption hash method user is always the SHA512

thanks

Cyrill Gremaud
  • 63
  • 3
  • 12

2 Answers2

6

The easiest method to set a up a password with a non-default hashing method is to manually hash the password first and then supply that password when setting up the user:

 adduser --password HASHEDPASSWORD user

Where the HASHEDPASSWORD must follow your system's standards for the crypt function (man 3 crypt):

If salt is a character string starting with the characters "$id$" followed by a string terminated by "$":

         $id$salt$encrypted

then instead of using the DES machine, id identifies the encryption method used and this then determines how the rest of the password string is interpreted. The following values of id are supported:

          ID  | Method
          ---------------------------------------------------------
          1   | MD5
          2a  | Blowfish (not in mainline glibc; added in some
              | Linux distributions)
          5   | SHA-256 (since glibc 2.7)
          6   | SHA-512 (since glibc 2.7)

So $5$salt$encrypted is an SHA-256 encoded password and $6$salt$encrypted is an SHA-512 encoded one.

To generate a correct hash from the commandline you can look here.

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 1
    Thank for the reference to the other post. It is helpful. But your example with add user doesn't work on my host because --password is an unknow option. – Cyrill Gremaud May 04 '15 at 07:03
  • That may depend on the Linux distro, I'm most familiar with RHEL/CentOS. Maybe `usermod`? – HBruijn May 04 '15 at 07:07
  • It is working if I use mkpassword tool, and copy and past the output to /etc/shadow for the corresponding user. I will test it and edit my response – Cyrill Gremaud May 04 '15 at 07:10
0

After some test, the best way to create different users with different hash algorithm is composed of 3 steps:

  1. Create the user without password
  2. Create the UNIX format password using specified parameters (salt, password, hashing algorithm)
  3. Set the generated UNIX password in /etc/shadow

Here an example of a user test1, with password 1234 and md5 as hashing function.

sudo adduser test1 --disabled-password sudo mkpasswd --method=md5 --salt=coolsalt 1234 $1$coolsalt$qTXiZzGn08J.xYkV1ce1y1

and now, just edit the /etc/shadow

Before editing test1:*:16559:0:99999:7:::

After editing test1:$1$coolsalt$qTXiZzGn08J.xYkV1ce1y1:16559:0:99999:7:::

After, you can try to login with this user to check if the format is corect.

whoami root su test1 Password: 1234 whoami test1

Thanks for the help

Cyrill Gremaud
  • 63
  • 3
  • 12