Generating /etc/shadow-Compatible SHA-512 Passwords with Salt on Ubuntu 10.04: A Developer’s Guide


4 views

Ubuntu 10.04 (Lucid Lynx) uses SHA-512 as its default password hashing algorithm in the /etc/shadow file. The system employs a salted hashing mechanism where each password gets a unique random salt, making rainbow table attacks impractical.

The shadow entry follows this structure:

username:$6$salt$hashedpassword:remaining_fields

Where:

$6 indicates SHA-512

salt is a random 16-character string

hashedpassword is the actual encrypted password

You can use these methods to generate compatible passwords:

Method 1: Using mkpasswd

sudo apt-get install whois
mkpasswd -m sha-512 --salt=SALT_STRING YOUR_PASSWORD

Example:

mkpasswd -m sha-512 --salt=abcdefghijklmnop password123

Outputs: $6$abcdefghijklmnop$BhJm7L9...

Method 2: Using OpenSSL

openssl passwd -6 -salt SALT_STRING YOUR_PASSWORD

Method 3: Python Implementation

import crypt
print(crypt.crypt("password123", "$6$abcdefghijklmnop"))

For production systems, generate random salts:

import os
import crypt

def generate_shadow_password(password):
    salt = "$6$" + os.urandom(16).encode('hex')
    return crypt.crypt(password, salt)

To verify your generated hash matches Ubuntu's implementation:

sudo useradd testuser
sudo passwd testuser  # Set your generated password
sudo grep testuser /etc/shadow
# Compare the hash portion
  • Always use cryptographically secure random salts
  • Consider using higher iteration counts (though Ubuntu 10.04 doesn't support this)
  • The minimum salt length should be 8 characters, 16 recommended

For older systems that might still use MD5 ($1$) or SHA-256 ($5$), simply change the method parameter:

mkpasswd -m sha-256 --salt=SALT YOUR_PASSWORD

Ubuntu 10.04 uses SHA-512 for password hashing with a per-user salt for security. The format stored in /etc/shadow follows this structure:

$6$salt$hashedpassword

Where:

- $6$ indicates SHA-512 algorithm

- salt is a random string (typically 8-16 characters)

- hashedpassword is the final computed hash

The easiest method is using the mkpasswd utility from the whois package:

sudo apt-get install whois
mkpasswd -m sha-512 yourpassword [salt]

Example with custom salt:

mkpasswd -m sha-512 secret123 ABCDEFGH
$6$ABCDEFGH$rT6V6PxBr5ZgJ9Z2k6Y7X1v8M9W8zYd5cU0aB3vY7dK5lN2qW3sV4bC6xX7jH8nY9

For programmatic generation:

import crypt
import random
import string

def generate_shadow_password(password):
    salt = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))
    return crypt.crypt(password, '$6$' + salt)

print(generate_shadow_password("mypassword"))

Alternative method using OpenSSL (note: doesn't produce /etc/shadow format directly):

openssl passwd -6 -salt ABCDEFGH secret123

To verify a generated hash matches the password:

python3 -c "import crypt; print(crypt.crypt('testpassword', '$6$ABCDEFGH$existinghash'))"
  • Always use strong, random salts (minimum 8 characters)
  • SHA-512 is more secure than older algorithms but consider modern alternatives for new systems
  • Never store generated passwords in version control