useradd and crypt

David Bandel david.bandel
Wed Oct 4 18:47:36 PDT 2006 

On 10/4/06, Michael Hipp <Michael at hipp.com> wrote:
> Bill Campbell wrote:
> > On Wed, Oct 04, 2006, Michael Hipp wrote:
> >> David Bandel wrote:
> >>> On 10/3/06, Michael Hipp <Michael at hipp.com> wrote:
> >>> [snip]
> >>>> I get a different result on every run and none of them match what is in
> >>>> /etc/shadow for known passwords. Also tried --crypt-md5 with similar results.
> >>>> So how do you get it to match what passwd would produce so that the input to
> >>>> the useradd command would be correct for /etc/shadow?
> >>> <sigh>
> >>> You've obviously been playing with Windoze and kindergarten
> >>> cryptography for too long.
> >>>
> >>> ...
> >>> Trust me, the crypts are good.
> >> <sigh>
> >> I wasn't questioning whether the crypts were "good". That is assumed. My
> >> question - poorly asked - was which crypt is the "correct" one. In other
> >> words, what options do I supply to crypt to get something that is appropriate
> >> for the adduser command?
> >
> > You need to supply the plain text password and salt characters.
> > See ``man 3 crypt'' for more information on the format of the
> > salt.  On Linux systems one can also used extended encryption
> > which is in the ``GNU EXTENSION'' section of the man pages.
> >
> > The way a UNIX/Linux system verifies passwords is to pass the plain text
> > password and encrypted password to the crypt(3) routine which then encrypts
> > the plain text with the salt from the encrypted password, comparing the
> > result to the encrypted password.  They will only match if the plain text
> > is the same.
> >
> > For DES enryption, you need to generate two random characters from the set
> > [a-zA-Z0-9./].  If you want crypt to generate an MD5-based algorithm, then
> > supply a salt in the format "$1$<string>$", where "<string>" stands for the
> > up to 8 characters from the same set of characters.
>
> Apologies for being dense...
>
> Looking at my /etc/shadow and /etc/pam.d/common-password it appears I'm using
> md5. So to generate a new password for the adduser command is it sufficient to
> do 'crypt --crypt-md5 --string abc123' or is there also some magic salt I'm
> supposed to come up with?

The salt is part of the md5 hash.  Just use it.

>
> And for the record, they don't cover cryptography and ciphers in the
> kindergartens in Arkansas. They do use Windoze tho. ;-)

They don't cover cryptography or ciphers in Redmond, WA, either. ;-)

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto

More information about the Linux-users mailing list