# How to generate the hashes in /etc/master.passwd?



## colemakker (Feb 18, 2021)

Can it be done easily on the command line?

And a related question... why does the output of `sha512 -s arst` not match the other hashes?

```
$ echo arst|sha512
b6404b71a891f0949a6c92f6198e9caa902908dfb9b3b78e4a44cfcb41b035eb8467759aa72c9d82a54fadad77e45ea365ca40386a67516ff8f201a596b6d871
$ echo arst>wtfbbq
$ sha512 wtfbbq
SHA512 (wtfbbq) = b6404b71a891f0949a6c92f6198e9caa902908dfb9b3b78e4a44cfcb41b035eb8467759aa72c9d82a54fadad77e45ea365ca40386a67516ff8f201a596b6d871
$ sha512 -s arst
SHA512 (arst) = 193bd51d8a4988e85faded688661e0f3e7720804edf6086c7fe3a034958031d9c4dc145c27fb46d5bc958cd536d484873932c4a0682e417326c5239fc276fd1e
```
Thanks


----------



## SirDice (Feb 18, 2021)

Password hashes are salted.


----------



## colemakker (Feb 18, 2021)

Yes I read about that, I wondered if the algorithm that generates the hashes is ... simple? Could it be done with commandline commands that a relative beginner to Unix could interpret?


----------



## SirDice (Feb 18, 2021)

colemakker said:


> I wondered if the algorithm that generates the hashes is ... simple?


It is. It's really not that difficult. Have a look at passwd(5) and crypt(3). I would advise against modifying passwd or master.passwd by "hand" though. The actual users and passwords are stored in a database for performance reasons (if you had a large number of accounts and the passwd file got really big you got annoying delays when logging in), see pwd_mkdb(8). The old passwd and master.passwd files are mainly for compatibility reasons.


----------



## usdmatt (Feb 18, 2021)

Regarding your second question, echo is adding a \n. Try echo -n

Edit, also re first question

```
echo -n "arst" | openssl passwd -6 -stdin
$6$FQ6sP5QPmYWIazFn$0aYYeK0nGwLIOszq4TzwM4/lzDCHYS3fwmXTsEOL.7iWigMkJIn3//kFVxM6BFDeo1pUDnnZDG0ad50.FceAW0
```

Expected there would be a way using basic built in tools but it appears not, however openssl has a simple subcommand for it and is in base.


----------



## Mjölnir (Feb 19, 2021)

That parameter `-6` is undocumented, and it denotes the min. password length?
BTW, to force a new user to change the password on the 1st login, I do `pw -n name -p -1`, correct? EDIT No, the correct way to do it is `pw <username> -p +0`


----------



## SirDice (Feb 19, 2021)

I've used this in a custom puppet module I wrote a long time ago.

`echo "<newpassword>" | pw usermod username -h 0`


```
-h fd         This option provides a special interface by which
                   interactive scripts can set an account password using pw.
                   Because the command line and environment are fundamentally
                   insecure mechanisms by which programs can accept
                   information, pw will only allow setting of account and
                   group passwords via a file descriptor (usually a pipe
                   between an interactive script and the program).  sh, bash,
                   ksh and perl all possess mechanisms by which this can be
                   done.  Alternatively, pw will prompt for the user's
                   password if -h 0 is given, nominating stdin as the file
                   descriptor on which to read the password.  Note that this
                   password will be read only once and is intended for use by
                   a script rather than for interactive use.  If you wish to
                   have new password confirmation along the lines of
                   passwd(1), this must be implemented as part of an
                   interactive script that calls pw.
```
pw(8)


----------



## msplsh (Feb 19, 2021)

The keyword to your searches on this should be "Modular Crypt Format" and crypt(3) as stated earlier.  It's simple in that a person skilled in how to hash and salt things could easily do it, but if you don't know what you're doing and expect to cut & paste a command, I'm honestly kind of suspicious as to what you're trying to do before handing you the tools to shoot your foot off 


Mjölnir said:


> That parameter `-6` is undocumented, and it denotes


6 is SHA-512 in MCF.  crypt(3) lists the ones FreeBSD supports.

FreeBSD lists 2 as blowfish, but "blf" has been screwed up twice, so 2, 2a, and 2x are all messed up and 2y is the explicitly "fixed" version.


----------

