Password hash explanation

Password hash explanation

You can see that unlike the /etc/passwd file the /etc/shadow file only has the “r” (read) permission set for root user.

Which means no other user has access to this file. Let’s see what’s the content of this file?

[root@root1 ~]# cat /etc/shadow

root:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::

Let’s understand each and every field of that output, that are separated by a “:”.

1. The first field is self explanatory, its the USERNAME

2. The second field is the encoded password (Which is a one way hash..we will be discussing this in detail)

3. The third field is the day’s since the UNIX time that password was changed.

Refer: What is UNIX time?

4. This field specifies the number of days, that are required between password changes.

5.No of days after which its necessary to change the password.

6.This is the number of days before the required password change, the user gets a warning

7.If the password has expired, after this number of days the account will be disabled

8.No of days from the Unix Time, the account is disabled

9. This field is not used yet…

Now you will be confused, that why does the /etc/shadow, file contains these many information’s rather than only the encoded password. This is because shadow-util’s package provides some more advanced feature’s along with storing encoded passwords in /etc/shadow. The above mentioned fields of /etc/shadow, file tell’s those added feature’s to a certain extent like age of the passwords and its expiry, and also below mentioned feature’s.

  • Default parametres for user account creation (/etc/login.defs)
  • Tools to modify user accounts and groups
  • Enforcing strict password selection

From the above shown example entry, our topic of interest is the second field(the field with the encoded hash of the password).

$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

The above shown encoded hash value can be further classified into three different fields as below.

1. The first field is a numerical number that tell’s you the hashing algorithm that’s being used.

  •  $1 = MD5 hashing algorithm.
  •  $2 =Blowfish Algorithm is in use.
  •  $2a=eksblowfish Algorithm
  •  $5 =SHA-256 Algorithm
  •  $6 =SHA-512 Algorithm

2. The second field is the salt value

Salt value is nothing but a random data that’s generated to combine with the original password, inorder to increase the strength of the hash..

3.The last field is the hash value of salt+user password (we will be discussing this shortly).

So in our example entry of root, as shown below,

$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

The above shown encoded password is using MD5 hashing algorithm (because the of $1$)

Salt value is Etg2ExUZ (the content between the second and third $ sign)

And the hash value of “PASSWORD + SALT”. Let’ s reproduce the same output by providing the salt value of Etg2ExUZ and the original password.

[root@root1 ~]# openssl passwd -1 -salt Etg2ExUZ redhat

$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1

[root@root1 ~]#

With the help of the above openssl command, you can see that the encoded entry can only be reproduced with the exact same salt value (which is always randomly selected by the password program).

This is what is done by the login program when you enter the password, it uses the salt value and your entered password to create an encoded string. If that encoded string matches the encoded string from the shadow file, then the user login is considered as successful.

Changing the salt will change the entry in shadow file. -1 option used in the above command, tell’s which hashing algorithm to use( 1 indicates md5 algorithm).

How to generate a shadow style password hash?

[root@localhost ~]# openssl passwd -1 redhat123

$1$jp5rCMS4$mhvf4utonDubW5M00z0Ow0

In this case salt value is the eight characters between the 2nd and 3rd $ sign. i.e jp5rCMS4.
You can paste the above output into your shadow file for a particular user and then that user can easily login with the password “redhat123”.