etc-shadow
Alex Regan
mysqlstudent at gmail.com
Mon Feb 23 00:01:11 UTC 2015
Hi,
On 02/22/2015 01:23 PM, Chris Murphy wrote:
> On Sat, Feb 21, 2015 at 11:58 PM, Matthew Miller
> <mattdm at fedoraproject.org <mailto:mattdm at fedoraproject.org>> wrote:
> > On Sat, Feb 21, 2015 at 06:07:18PM -0700, Chris Murphy wrote:
> >> I read this:
> >> http://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
> >> But Fedora doesn't have mkpasswd by default, whereas passwd seems to
> >> only update shadow rather than outputting to stdout. And if there's a
> >> salt used I can't tell how that would be referenced.
> >
> > It's generated by the crypt function in glibc — man 3 crypt, and scroll
> > down to the "Glibc notes" section. Although I didn't dig further, that
> > says that the characters in the resulting string are drawn from the set
> > [a-zA-Z0-9./]; I assume that it's the same number as would be found in
> > a sha512sum hash, except mapped to that instead of represented as a
> > long hexadecimal number. (If you do want to dig further, I suppose
> > sha512-crypt.c is the place to look.)
> >
> > If you want to generate such a string yourself, using the crypt
> > function seems like the easiest way (of course using the python crypt
> > module or whatever).
>
> That's it. Thanks!
>
> So there is a salt listed in /etc/shadow, and 5000 rounds of SHA512 are
> used by default according to sha512-crypt.c. The number of rounds can be
> changed in /etc/pam.d/passwd.
>
> Curiously, Anaconda calls authconfig to create the key, and the
> resulting shadow entry contains a 16 character salt. Whereas passwd uses
> an 8 character salt.
Do you happen to know if there's a pre-built version of John-the-Ripper
or another password testing program that's available and works with
these new passwords?
Thanks,
Alex
More information about the users
mailing list