home

validating an /etc/shadow entry

2024-05-17

A few moons ago, certain events transpired, which needed me to login over a terminal (over an iDRAC virtual console, through an AnyDesk connection). The only thing with me, was a hashed cloud-init password, and the password shared with me was not working. After fumbling through entering the password with a ~1 second latency for each keystroke, and doubting even then, whether I did it correctly; once with a keyboard and once with the virtual keyboard; and nothing working, I had a hunch the password shared with me, was not the one.

After diligently trying the password about 4 times either way (virtual keyboard and otherwise), I decided to pause this sisyphean struggle, and go figure out how to generate the hash for myself to check if the password shared with me, was indeed not the one.

Scrambling through Stack Overflow, I figured that $6 stands for SHA-512, the second part is the salt, and the third part is the hashed password.

mkpasswd -m SHA-512 -S $salt
# < Password: <stdin>
# > $6${salt}${hash}

Anyway, once certain this password was not the one, we could focus on getting the one password, and continuing with (the rest of the events which transpired). I never needed to use this again, until,.. today. So, here we go.

format

$<ID>$<SALT>$<PWD>

ids

from what seems like the rfc,

     ID       |    Method
  -------------------------------
     1        |  MD5 (Linux, BSD)
     2a       |  Blowfish (OpenBSD)
     md5      |  Sun MD5
     5        |  SHA-256
     6        |  SHA-512

I was unable to find any references to generating password hashes for Blowfish and Sun MD5, so /shrug.

generation: mkpasswd

mkpasswd (available in the whois package??) can be used to generate hashes.

note: salt for md5 is 8 bytes, sha256 and 512 can be upto 16 bytes respectively.

export salt="hahahaha"
export secret="secret"

mkpasswd -m MD5 -S $salt $secret
# $1$hahahaha$yh6ROIJFkNKeqkDDGRmT1.

mkpasswd -m SHA-256 -S $salt $secret 
# $5$hahahaha$9yESd1xu.bXHXBlNYEBoBl7jyQT0L.pngF1QrFXJZvC

mkpasswd -m SHA-512 -S $salt $secret 
# $6$hahahaha$JnOxDTOTkILczjmBuxF0TgSv5xre9f8ql4.ExYG7r7kq5qY.FIDT09/MLpf3tefxZXENe.QrFe28iAnoAwWv.1

generation: openssl

if you want to bring a nuke use openssl, depending on your platform you should be able to use the openssl passwd command.

openssl passwd -1 -salt $salt $secret
# $1$hahahaha$yh6ROIJFkNKeqkDDGRmT1.

openssl passwd -5 -salt $salt $secret
# $5$hahahaha$9yESd1xu.bXHXBlNYEBoBl7jyQT0L.pngF1QrFXJZvC

openssl passwd -6 -salt $salt $secret
# $6$hahahaha$JnOxDTOTkILczjmBuxF0TgSv5xre9f8ql4.ExYG7r7kq5qY.FIDT09/MLpf3tefxZXENe.QrFe28iAnoAwWv.1

home