I am setting up a new account on a Linux box for Subversion repository access, and can send the password to the new user. However, I think there was a command line utility for this new user to encrypt the password he likes into a format I can copy/paste directly into the /etc/shadow file.
What was the full command that this new user should run on the console (e.g. Bash) to create such an encrypted password?
UPDATE: the user will not be allowed to log in on the machine, and the account will merely be used for svn+ssh:// access. Therefore, the user cannot change it himself.
-
The format of the password in shadow can vary. You could set it to be MD5 or the good old DES3 or... You are good sending your user a password and forcing her to change it in the first login (
# chage -d 0 username)From Gonzalo -
Instead of having them encrypt the password and send it to you, why not just tell them to type:
passwdIt will do everything you want with the added advantage that they can change their passwords without any extra work for you.
EDIT: According to this, there's supposedly a command called makepassword that you can get for Debian/Ubuntu.
Daniel Pryden : Because that requires the user to already be logged in. The OP wants a solution to set the password securely *before* the user logs in for the first time.Brendan Long : It seems like randomly generating a password and having them change it when they log in is just as secure as having them generate a password and manually adding it.Egon Willighagen : The user will actually never login (shell:/bin/false), and only allow SVN read/write access...Brendan Long : You could set shell:/usr/bin/passwd :DBrendan Long : I mean that last comment as joke, but apparently it will work: http://markmail.org/message/ekuxvnhdagywy4i5From Brendan Long -
/etc/passwd and /etc/shadow are very easy to tokenize with the usual command line tools (i.e. grep, awk, sed, tr, etc).
What becomes interesting is the actual password hash field in /etc/shadow, its prefix tells you how the password has been encrypted. From man (5) shadow :
The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 characters alphabet a thru z, A thru Z, 0 thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used.How it was encrypted broadly depends on how old the installed OS happens to be. Its important to pay special attention to the second field in /etc/shadow.
You should make every effort to follow whatever hash the system is using, be it DES, MD5, etc, since its so easy to detect.
From Tim Post -
Why not SU into to the user and run passwd?
Egon Willighagen : Because I do not want to know the password... or have it send to me in an unencrypted form.From EsbenP -
the user can execute on his computer something like:
echo "password"|openssl passwd -1 -stdinand then send you the output.
Antoine Benkemoun : +1 does exactly what you are looking for.Egon Willighagen : Why is that command giving a different value each time I call it?Gonzalo : The format of the output is $id$salt$encrypted. Different id and different salt give you a different encrypted string. The id is the algorithm used: 0-DES, 1->MD5, 2a->Blowfish, 5->SHA-256, 6->SHA512Egon Willighagen : OK, so I need to figure out how to trigger a certain id (which was the same all the time) and salt (which changed with each call)... makes sense.From Daniel -
Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):
echo "mypasswd" | makepasswd --crypt-md5 $1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.But this will not work via copy and paste inside /etc/shadow To change password via script in some linux distributions, you can use:
echo oracle:mypasswd | chpasswdor
echo -n mypasswd | passwd --stdin oracleFrom Dragos Toader
0 comments:
Post a Comment