How to create an SHA-512 hashed password for shadow?

Solution 1:

Here's a one liner:

python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")'

Python 3.3+ includes mksalt in crypt, which makes it much easier (and more secure) to use:

python3 -c 'import crypt; print(crypt.crypt("test", crypt.mksalt(crypt.METHOD_SHA512)))'

If you don't provide an argument to crypt.mksalt (it could accept crypt.METHOD_CRYPT, ...MD5, SHA256, and SHA512), it will use the strongest available.

The ID of the hash (number after the first $) is related to the method used:

  • 1 -> MD5
  • 2a -> Blowfish (not in mainline glibc; added in some Linux distributions)
  • 5 -> SHA-256 (since glibc 2.7)
  • 6 -> SHA-512 (since glibc 2.7)

I'd recommend you look up what salts are and such and as per smallclamgers comment the difference between encryption and hashing.

Update 1: The string produced is suitable for shadow and kickstart scripts.
Update 2: Warning. If you are using a Mac, see the comment about using this in python on a mac where it doesn't seem to work as expected.

On macOS you should not use the versions above, because Python uses the system's version of crypt() which does not behave the same and uses insecure DES encryption. You can use this platform independent one liner (requires passlib – install with pip3 install passlib):

python3 -c 'import passlib.hash; print(passlib.hash.sha512_crypt.hash("test"))'

Solution 2:

On Debian you can use mkpasswd to create passwords with different hashing algorithms suitable for /etc/shadow. It is included in the package whois (according to apt-file)

mkpasswd -m sha-512
mkpasswd -m md5

to get a list of available hashing algoritms type:

mkpasswd -m help 

HTH


Solution 3:

Best Answer: grub-crypt

Usage: grub-crypt [OPTION]...
Encrypt a password.

-h, --helpPrint this message and exit
-v, --version           Print the version information and exit
--md5                   Use MD5 to encrypt the password
--sha-256               Use SHA-256 to encrypt the password
**--sha-512             Use SHA-512 to encrypt the password (default)**

Solution 4:

Here's a short C code to generate the SHA-512 password on various Unix type OSes.

File: passwd-sha512.c

#define _XOPEN_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  if ( argc < 3 || (int) strlen(argv[2]) > 16 ) {
    printf("usage: %s password salt\n", argv[0]);
    printf("--salt must not larger than 16 characters\n");
    return;
  }

  char salt[21];
  sprintf(salt, "$6$%s$", argv[2]);

  printf("%s\n", crypt((char*) argv[1], (char*) salt));
  return;
}

to compile:

/usr/bin/gcc -lcrypt -o passwd-sha512 passwd-sha512.c

usage:

passwd-sha512 <password> <salt (16 chars max)>

Solution 5:

Perl one-liner solution to generate SHA-512 hashed password:

perl -le 'print crypt "desiredPassword", "\$6\$customSalt\$"'

Worked on RHEL 6