When working with Linux user authentication, storing passwords securely in the /etc/shadow file is crucial. While MD5 hashing was once common, SHA-512 provides significantly better security with its 512-bit hash length and built-in salting mechanism.
The most efficient way to generate SHA-512 hashes for shadow files is using Python's crypt module. Here's the optimal one-liner:
python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"
This command does several important things:
- Uses Python 3's
cryptmodule - Generates a random salt automatically with
mksalt() - Specifies SHA-512 method explicitly
- Takes user input for the plaintext password
- Outputs the complete hash in shadow file format
The output will look like this (your salt and hash will differ):
$6$somesaltvalue$hashedpasswordstring
The $6$ prefix indicates SHA-512 encryption, which you can directly place in your shadow file.
For systems without Python, you can use:
Using OpenSSL
openssl passwd -6 -salt $(openssl rand -base64 12)
Using mkpasswd (Debian/Ubuntu)
mkpasswd -m sha-512
Remember these important points when working with password hashes:
- Always use random salts (the Python method does this automatically)
- Never store plaintext passwords
- Ensure proper file permissions on shadow files (usually 640)
- Consider using more modern algorithms like bcrypt for new systems
Here's how to add a user with SHA-512 password in a script:
#!/bin/bash
USERNAME="newuser"
PASSWORD_HASH=$(python3 -c "import crypt;print(crypt.crypt('password123', crypt.mksalt(crypt.METHOD_SHA512)))")
useradd -m -p "$PASSWORD_HASH" $USERNAME
SHA-512 is currently the strongest password hashing algorithm supported by default in Linux systems. It's significantly more secure than the older MD5 method, providing 512 bits of cryptographic strength with salt by default.
The most straightforward method uses Python's built-in crypt module:
python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"
Example output:
$ python3 -c "import crypt;print(crypt.crypt(input('clear-text pw: '), crypt.mksalt(crypt.METHOD_SHA512)))"
clear-text pw: mySecurePassword123
$6$XvTp7X2v$9w0V9Q3k4z8K7lW5Y1R2U6I3O5P7Q9W2E4R6T8Y0U1I2O3P4Q5W6E7R8T9Y0
Using OpenSSL
For systems without Python 3:
openssl passwd -6 -salt $(openssl rand -hex 8)
Using Perl
perl -e 'print crypt("password", "\$6\$".join "", map+(0..9,"a".."z","A".."Z")[rand 62],0..15)."\n")'
The SHA-512 hash follows this structure:
$6$salt$hashedpassword
Where:
- $6$ indicates SHA-512
- salt is the random salt value
- hashedpassword is the actual hash
Once you have the hashed password, you can manually update the shadow file:
sudo vipw -s
Or for a specific user:
sudo usermod -p '$6$salt$hashedpassword' username
- Always use strong, randomly generated salts
- Consider using even stronger methods like Argon2 where available
- Never generate hashes on production systems - do it offline
- The Python method is preferred as it uses proper crypt libraries
If you encounter problems:
# Verify your system supports SHA-512
authconfig --test | grep hashing
Make sure your /etc/login.defs contains:
ENCRYPT_METHOD SHA512