How to create SHA512 password hashes on command line

On any of the Red Hat distros such as Fedora, CentOS, or RHEL the command mkpasswd doesn't include the same set of switches as the version typically included with Debian/Ubuntu.

NOTE: The command mkpasswd is actually part of the expect package, and should probably be avoided. You can find out what package it belongs to with either of these commands.

$ yum whatprovides "*/mkpasswd"
-or-
$ repoquery -q --file */mkpasswd

Example

$ repoquery -q --file */mkpasswd
expect-0:5.43.0-8.el5.x86_64
expect-0:5.43.0-8.el5.i386

Both of these methods are superior to using rpm since the packages do not have to be installed to locate */mkpasswd.

Workarounds

To work around this you can use the following Python or Perl one-liners to generate SHA-512 passwords. Take note that these are salted:

Python (>= 3.3)

$ python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'

-or scripted-

$ python -c 'import crypt; print(crypt.crypt("somesecret", crypt.mksalt(crypt.METHOD_SHA512)))'

Python (2.x or 3.x)

$ python -c "import crypt, getpass, pwd; \
             print(crypt.crypt('password', '\$6\$saltsalt\$'))"

$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/

Note: $6$ designates sha512. Support for this method of specifying the algorithm is dependent on support in OS level crypt(3) library function (usually in libcrypt). It is not dependent on python version.

Perl

$ perl -e 'print crypt("password","\$6\$saltsalt\$") . "\n"'
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/

In these examples the password is the string "password" and the salt is "saltsalt". Both examples are using $6$ which denotes that you want crypt to use SHA-512.


Yes, you're looking for mkpasswd, which (at least on Debian) is part of the whois package. Don't ask why...

anthony@Zia:~$ mkpasswd -m help
Available methods:
des     standard 56 bit DES-based crypt(3)
md5     MD5
sha-256 SHA-256
sha-512 SHA-512

Unfortunately, my version at least doesn't do bcrypt. If your C library does, it should (and the manpage gives a -R option to set the strength). -R also works on sha-512, but I'm not sure if its PBKDF-2 or not.

If you need to generate bcrypt passwords, you can do it fairly simply with the Crypt::Eksblowfish::Bcrypt Perl module.


You can use the doveadm utility, which is included in the dovecot package.

doveadm pw -s SHA512-CRYPT

Result example:

{SHA512-CRYPT}$6$0JvQ1LLFESzA16.I$JVdKAIq0igudTq06BMqzT9rL1gRawMPwLr9U3/kBMKUqZdONfa0wubC89C35LKl3aE16CRH57BfGb4ygPLggL1

Just cut {SHA512-CRYPT} and you'll get your SHA512 hashed string.