How to create SHA512 password hashes on command line
On any of the Red Hat distros such as Fedora, CentOS, or RHEL the command mkpasswd
doesn't include the same set of switches as the version typically included with Debian/Ubuntu.
NOTE: The command mkpasswd
is actually part of the expect
package, and should probably be avoided. You can find out what package it belongs to with either of these commands.
$ yum whatprovides "*/mkpasswd"
-or-
$ repoquery -q --file */mkpasswd
Example
$ repoquery -q --file */mkpasswd
expect-0:5.43.0-8.el5.x86_64
expect-0:5.43.0-8.el5.i386
Both of these methods are superior to using rpm
since the packages do not have to be installed to locate */mkpasswd
.
Workarounds
To work around this you can use the following Python or Perl one-liners to generate SHA-512 passwords. Take note that these are salted:
Python (>= 3.3)
$ python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'
-or scripted-
$ python -c 'import crypt; print(crypt.crypt("somesecret", crypt.mksalt(crypt.METHOD_SHA512)))'
Python (2.x or 3.x)
$ python -c "import crypt, getpass, pwd; \
print(crypt.crypt('password', '\$6\$saltsalt\$'))"
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
Note: $6$ designates sha512. Support for this method of specifying the algorithm is dependent on support in OS level crypt(3) library function (usually in libcrypt). It is not dependent on python version.
Perl
$ perl -e 'print crypt("password","\$6\$saltsalt\$") . "\n"'
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
In these examples the password is the string "password" and the salt is "saltsalt". Both examples are using $6$ which denotes that you want crypt to use SHA-512.
Yes, you're looking for mkpasswd
, which (at least on Debian) is part of the whois
package. Don't ask why...
anthony@Zia:~$ mkpasswd -m help
Available methods:
des standard 56 bit DES-based crypt(3)
md5 MD5
sha-256 SHA-256
sha-512 SHA-512
Unfortunately, my version at least doesn't do bcrypt. If your C library does, it should (and the manpage gives a -R option to set the strength). -R also works on sha-512, but I'm not sure if its PBKDF-2 or not.
If you need to generate bcrypt passwords, you can do it fairly simply with the Crypt::Eksblowfish::Bcrypt
Perl module.
You can use the doveadm
utility, which is included in the dovecot
package.
doveadm pw -s SHA512-CRYPT
Result example:
{SHA512-CRYPT}$6$0JvQ1LLFESzA16.I$JVdKAIq0igudTq06BMqzT9rL1gRawMPwLr9U3/kBMKUqZdONfa0wubC89C35LKl3aE16CRH57BfGb4ygPLggL1
Just cut {SHA512-CRYPT} and you'll get your SHA512 hashed string.