![]() Ruby -e 'require "securerandom" puts SecureRandom.alphanumeric(20).crypt("$6$" + rand(36 ** 8).to_s(36))' Ruby # With a random password and random salt # Read password from stdin to avoid leaking it in shell command history whois of all other Linux distro doesn't include mkpasswd but the source (C lang) can be found on the original repository. mkpasswd is provided by the expect package but is an totally different utility which is available as expect_mkpasswd on Debian / Ubuntu. On other Linux distribution such as ArchLinux, Fedora, CentOS, openSUSE, etc. Note: mkpasswd binary is installed via the package whois on Debian / Ubuntu only. $6$salt$encrypted is an SHA-512 encoded one.Īll examples will be using SHA-512, as password placeholder and as salt placeholder. So $5$salt$encrypted is an SHA-256 encoded password and Tion method used and this then determines how the rest of the Then instead of using the DES machine, id identifies the encryp‐ "$id$" followed by a string terminated by "$": If salt is a character string starting with the characters The glibc2 version of this function supports additional encryp‐ Mind you, since I have enough permission to read/write /etc/shadow, I COULD just overwrite the hash, and get on with life. I would use John the ripper - but at least on my hardware (Raspberry Pi) and my budget (nothing) - John can't do it (it does not seem to support the advanced crypt/glibc stuff in the raspbian free version. ![]() Given a potentially "lost" password, I can use MKPASSWD and the salt, to generate the SHA512 hash, and confirm/deny a list of candidate passwords. That said, this web page was very helpful - in particular the MKPASSWD, as this solved MY problem. Take a look at the man page for crypt (3) and I think that you will find that the crypt tool has been updated to use glibc and sha256 ($5) and sha512 ($6), multiple rounds, much larger salt, and so on.Ĭlearly SHA512 is relevant to how /etc/shadow works. You can use this platform independent one liner (requires passlib – install with pip3 install passlib): python3 -c 'import passlib.hash print(512_crypt.hash("test"))' On macOS you should not use the versions above, because Python uses the system's version of crypt() which does not behave the same and uses insecure DES encryption. If you are using a Mac, see the comment about using this in python on a mac where it doesn't seem to work as expected. Update 1: The string produced is suitable for shadow and kickstart scripts. I'd recommend you look up what salts are and such and as per smallclamgers comment the difference between encryption and hashing. 2a -> Blowfish (not in mainline glibc added in some Linux distributions). ![]() The ID of the hash (number after the first $) is related to the method used: MD5, SHA256, and SHA512), it will use the strongest available. If you don't provide an argument to crypt.mksalt (it could accept crypt.METHOD_CRYPT. Python 3.3+ includes mksalt in crypt, which makes it much easier (and more secure) to use: python3 -c 'import crypt print(crypt.crypt("test", crypt.mksalt(crypt.METHOD_SHA512)))' Here's a one liner: python -c 'import crypt print crypt.crypt("test", "$6$random_salt")' Edit: Please note this answer is 10+ years old.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |