How to Generate /etc/shadow-compatible Encrypted Passwords for SVN+SSH Access in Linux


2 views

When configuring SVN+SSH repository access on Linux systems, administrators often need to create password entries in /etc/shadow without granting shell access. The standard passwd command requires interactive login, which isn't feasible for restricted-access scenarios.

The most portable solution uses OpenSSL's passwd subcommand with SHA-512 encryption (current standard):

openssl passwd -6 -salt $(openssl rand -base64 12) -stdin <<< "your_password_here"

Example output format:

$6$HNf8sD2bXK9pL7jR$V4hPw3K...

On Debian/Ubuntu systems, the whois package provides mkpasswd:

mkpasswd -m sha-512 --salt=$(openssl rand -base64 12) "password123"

For systems without OpenSSL or mkpasswd:

python3 -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'

The generated hash should begin with $6$ (SHA-512). Insert it into /etc/shadow after the username:

svnuser:$6$salt...hash:19285:0:99999:7:::
  • Always generate salts using cryptographically secure random sources
  • For production systems, consider SSH key authentication instead
  • Set password expiration policies in the shadow file's fifth field

When setting up SVN+ssh:// repository access, we often need to create system accounts with pre-defined passwords that get stored in /etc/shadow. The standard passwd command requires interactive input, which isn't ideal for automated setups or remote user scenarios.

The most reliable method uses OpenSSL's password hashing functionality. Here's the command syntax:

openssl passwd -6 -salt $(openssl rand -hex 4)

Example workflow:


# Generate a SHA-512 encrypted password (modern systems default)
PASSWORD="securePass123"
SALT=$(openssl rand -hex 4)
ENCRYPTED=$(openssl passwd -6 -salt $SALT "$PASSWORD")

# Output will look like: $6$salt$hashedvalue
echo $ENCRYPTED

Using Python's crypt module


python3 -c 'import crypt; print(crypt.crypt("password", crypt.mksalt(crypt.METHOD_SHA512)))'

Using Perl


perl -e 'print crypt("password", "\$6\$".join "", (".", "/", 0..9, "A".."Z", "a".."z")[rand 64, rand 64])'

When implementing this:

  • Always generate random salts for each password
  • Prefer SHA-512 (method 6) over older hashing methods
  • Consider setting password expiration policies
  • For SVN+ssh, consider using SSH keys instead of passwords when possible

Once you have the encrypted string, edit /etc/shadow as root:


sudo vipw -s

Or use usermod:


sudo usermod -p '$6$salt$hashedvalue' username