Hello Guys,

In this post we are going to disscuss about the file /etc/shadow. To change the password of the user on linux system we use the command ‘passwd‘, But on /etc/passwd file we don’t find any password details of the user, rather we can find it on /etc/shadow file.

Lets dive into the file for more details,

Snippets of /etc/shadow file

hplip:*:15630:0:99999:7:::
sathish:$6$GcpgrEm9$TY.skPn9zxiNN5c8LFZYQt/DmeOggy2IycFWpW.6DP8IhI90lDuPLQ6k/jd5wiE.C4TmGXZoTiSqIR3rHljHJ.:15751:0:99999:7:::
libuuid:!:15630:0:99999:7:::

Syntax

The /etc/shadow has 9 fields.

User : Encrypted Password : Date of last change password : Min. password age : Max. password age : Password warning period : Password interactive period : Account expiration date : Reserved field

where as ‘ : is the field separator.

Again within the encrypted Password (2nd field) we can separate it by ‘ $ ‘

$ id $ Salt $ Actual Encrypted  Password.

IdHash Algorithm NameLength
1MD522 characters
2aBlow Fish
5SHA 256 (since glibc 2.7)43 characters
6SHA 512 (since glibc 2.7)86 characters

 The ‘Salt‘ and ‘Encrypted Password’ are drawn from the set [a-z A-Z 0-9 . /]

To change the hashing algorithm, we need to change it in the file /etc/pam.d/common-password.

For the user ‘sathish‘ you can note down $ 6 $, which actually indicates that the hashing algorithm is SHA 512 and the length of encrypted password is 86 characters(note from the table).

Snapshot : 0

File Name : /etc/pam.d/common-password

/etc/pam.d/common-password

Inference :

  • Green Encircled : You can note down that the hashing algorithm is ‘sha512‘ .

Snapshot : 1

Now we will be suggesting to use ‘sha256’ hashing algorithm.

Just simply edit the above line to ‘sha256’ using your favorite editor(comment the line using ‘#’).

Edit to use sha256

  • You can note down that ‘sha256‘ is enabled now.

Snapshot : 2

Now we will check that hashing algorithm is sha256; that can be verified by creating a user.

padm user created

Inference :

  • The blue encircled($5$) for the user padm uses the hashing algorithm sha256 based on the id 5.
  • Also note that the changes have not affected the user sathish since its holding the same value ‘6’ which refers to sha512 which is of 86 characters length.
  • So changes will not be affecting the existing users.

Snapshot : 3

Now we want to force all the other users to change the password, so that their hashing algorithm will change from * (anything 😉 ) to sha256 .

Now we are going to list when the password was last changed by the user.

chage -l sathish

when password changed

Inference :

  • Password changed lastly on ‘Feb 15, 2013’

Snapshot : 4

Now we force the user ‘sathish’ to change the password. This can be done by the command as follows

chage -d 0 sathish

force the user to change the password

Snapshot : 5

On the next successful login of the user ‘sathish’, system will prompt the user to change the password.

hash algo sha256

Inference :

  • Yellow encircled : 5 refers => hashing algorithm sha256.
  • Red Encircled : Encrypted password length is 43 characters.

 Snapshot : 6

Lets verify when is the password changed for the user sathish recently.

password changes recently

Summary :

  • /etc/shadow file contains the information about password, like hashing algorithm, password expiry, interactive and so on.
  • /etc/pam.d/common-password password related modules in this file we can specify which hashing algorithm to use.
  • chage -l <<user>> is list when the password has been changed recently.
  • chage -d 0 <<user>> is used to change the password forcibly.

Everything in linux is file, Learn more about files. 🙂 😉

 

 

 

 

Linux : How to change the Password Hashing Algorithm on linux system
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

sathish

Linux Admin, Programmer and Technical Analyst at Capgemini. Ardent fan of Linux, web designing tools and AI.

Leave a Reply

Your email address will not be published. Required fields are marked *