etc-shadow

[Chris Murphy]

On Sat, Feb 21, 2015 at 11:58 PM, Matthew Miller <mattdm at fedoraproject.org>
wrote:
> On Sat, Feb 21, 2015 at 06:07:18PM -0700, Chris Murphy wrote:
>> I read this:
>> http://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
>> But Fedora doesn't have mkpasswd by default, whereas passwd seems to
>> only update shadow rather than outputting to stdout. And if there's a
>> salt used I can't tell how that would be referenced.
>
> It's generated by the crypt function in glibc — man 3 crypt, and scroll
> down to the "Glibc notes" section. Although I didn't dig further, that
> says that the characters in the resulting string are drawn from the set
> [a-zA-Z0-9./]; I assume that it's the same number as would be found in
> a sha512sum hash, except mapped to that instead of represented as a
> long hexadecimal number. (If you do want to dig further, I suppose
> sha512-crypt.c is the place to look.)
>
> If you want to generate such a string yourself, using the crypt
> function seems like the easiest way (of course using the python crypt
> module or whatever).

That's it. Thanks!

So there is a salt listed in /etc/shadow, and 5000 rounds of SHA512 are
used by default according to sha512-crypt.c. The number of rounds can be
changed in /etc/pam.d/passwd.

Curiously, Anaconda calls authconfig to create the key, and the resulting
shadow entry contains a 16 character salt. Whereas passwd uses an 8
character salt.

-- 
Chris Murphy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20150222/01825e5a/attachment.html>