How should someone create an encrypted password for /etc/shadow?

Question

I am setting up a new account on a Linux box for Subversion repository access, and can send the password to the new user. However, I think there was a command line utility for this new user to encrypt the password he likes into a format I can copy/paste directly into the /etc/shadow file.

What was the full command that this new user should run on the console (e.g. Bash) to create such an encrypted password?

UPDATE: the user will not be allowed to log in on the machine, and the account will merely be used for svn+ssh:// access. Therefore, the user cannot change it himself.

User is asking about bash scripting, since he's obviously not going to do this manually. — Tim Post, Nov 24 '09 at 17:10

Daniel · Answer 1 · 2013-04-10T11:58:39.750

16

the user can execute on his computer something like:

echo "password"|openssl passwd -1 -stdin

and then send you the output.

edited Apr 10 '13 at 11:58

answered Nov 24 '09 at 18:30

Daniel

1,703
1
12
16

+1 does exactly what you are looking for. – Antoine Benkemoun Nov 24 '09 at 20:54
Why is that command giving a different value each time I call it? – Egon Willighagen Nov 24 '09 at 21:17
2

The format of the output is $id$salt$encrypted. Different id and different salt give you a different encrypted string. The id is the algorithm used: 0-DES, 1->MD5, 2a->Blowfish, 5->SHA-256, 6->SHA512 – Gonzalo Nov 24 '09 at 22:05
OK, so I need to figure out how to trigger a certain id (which was the same all the time) and salt (which changed with each call)... makes sense. – Egon Willighagen Nov 25 '09 at 07:44

score 2 · Answer 2 · answered Nov 24 '09 at 16:51

2

The format of the password in shadow can vary. You could set it to be MD5 or the good old DES3 or... You are good sending your user a password and forcing her to change it in the first login (# chage -d 0 username)

answered Nov 24 '09 at 16:51

Gonzalo

467
5
8

score 1 · Answer 3 · answered Nov 24 '09 at 16:57

1

Instead of having them encrypt the password and send it to you, why not just tell them to type:

passwd

It will do everything you want with the added advantage that they can change their passwords without any extra work for you.

EDIT: According to this, there's supposedly a command called makepassword that you can get for Debian/Ubuntu.

answered Nov 24 '09 at 16:57

Brendan Long

342
1
11

Because that requires the user to already be logged in. The OP wants a solution to set the password securely *before* the user logs in for the first time. – Daniel Pryden Nov 24 '09 at 16:58
1

It seems like randomly generating a password and having them change it when they log in is just as secure as having them generate a password and manually adding it. – Brendan Long Nov 24 '09 at 17:28
The user will actually never login (shell:/bin/false), and only allow SVN read/write access... – Egon Willighagen Nov 24 '09 at 18:16
2

You could set shell:/usr/bin/passwd :D – Brendan Long Nov 24 '09 at 18:28
1

I mean that last comment as joke, but apparently it will work: http://markmail.org/message/ekuxvnhdagywy4i5 – Brendan Long Nov 24 '09 at 18:30

score 0 · Answer 4 · answered Nov 24 '09 at 17:05

/etc/passwd and /etc/shadow are very easy to tokenize with the usual command line tools (i.e. grep, awk, sed, tr, etc).

What becomes interesting is the actual password hash field in /etc/shadow, its prefix tells you how the password has been encrypted. From man (5) shadow :

The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 characters alphabet a thru z, A
thru Z, 0 thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another
(not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.

How it was encrypted broadly depends on how old the installed OS happens to be. Its important to pay special attention to the second field in /etc/shadow.

You should make every effort to follow whatever hash the system is using, be it DES, MD5, etc, since its so easy to detect.

score 0 · Answer 5 · edited Nov 24 '09 at 18:14

0

Why not SU into to the user and run passwd?

edited Nov 24 '09 at 18:14

Zoredache

128,755
40
271
413

answered Nov 24 '09 at 17:20

Esben Skov Pedersen

197
1
8

Because I do not want to know the password... or have it send to me in an unencrypted form. – Egon Willighagen Nov 24 '09 at 18:17

score 0 · Answer 6 · answered Nov 24 '09 at 23:16

Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):

echo "mypasswd" | makepasswd --crypt-md5
$1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.

But this will not work via copy and paste inside /etc/shadow To change password via script in some linux distributions, you can use:

echo oracle:mypasswd | chpasswd

or

echo -n mypasswd | passwd --stdin oracle

How should someone create an encrypted password for /etc/shadow?

6 Answers6

Linked