Generating Passwords Using crypt(3)

When writing things like Red Hat Kickstart scripts, or using useradd, or in many other cases, a password is required in the format generated by crypt(3). However, how do we generate a password in this format? In fact, there are many, many ways – if you just know what they are.

One way is to use mkpasswd. This utility is made just for this very purpose; to generate a password with crypt(3) use the command:

mkpasswd

The program will ask for a password, and generates a crypt(3) output string.

If you have the Apache web server loaded, you can use htpasswd. Use this command

htpasswd -nd user

The name of the user doesn’t matter, as it is the password we want. The output will be in the format user:password; just copy the password and you’re set.

If you have OpenSSL available, you can use the openssl command:

openssl passwd -crypt myPassword

Replace myPassword with the password you want to encrypt.

The other methods all require putting the password into the command line in plain text. This can be a problem: the process list (seen using ps) will have the password in it as long as the program runs. The password will also go into the shell history.

One way around this – with programming languages – is to use a script or to use the language’s interpreter.

Using Perl:

perl -e "print crypt('password','sa');"

Perl requires a salt ('sa' in the example).

Ruby can generate a crypt-formatted password, but it requires a salt:

ruby -e 'print "password".crypt("JU"); print("\n");'

Using PHP, you can generate a password from the UNIX command line this way:

php -r "print(crypt('password','JU') . \"\n\");"

Note that if you do not provide a salt ('JU' in the example) then the string returned may not be in crypt format, but rather in MD5 format. Thus, while the salt is an optional parameter, it is necessary in this case.

Using Python requires importing the crypt library – and it requires a salt:

python -c 'import crypt; print crypt.crypt("password","Fx")'

Again, the salt in this case is the second parameter or "Fx".

Databases can generate crypt passwords too; using MySQL it can be done like this:

echo "select encrypt('password');" | mysql

For Tcl there are a number of options; if you are using Ubuntu, you could give the trf package a try. If using Lua, there is the lua-crypt extension.

Feel free to add other options below – with working command-line examples.

10 thoughts on “Generating Passwords Using crypt(3)”

  1. Some caution needed when using these approaches. Anyone monitoring the system using “ps” has a fair chance of spotting your password.

  2. Can’t we see the password using history..if we use the command
    “openssl passwd -crypt myPassword”

  3. Sure, that is why you should perform a history -c command to clear this out.
    Also as mentioned before, anyone monitoring the processes may be able to get this information at the moment of execution.

    1. You can also delete the file directly from your home – either .history or .bash_history. However, there is also the possibility that the commands are being stored elsewhere or in another fashion. Best to avoid putting them on the command line altogether.

  4. THANKS! after years of working with linux AT LAST i found a method how to create those encrypted passwds from the command line :3

  5. I was looking for some information on how to call the actual function, not how to use other programs that call the function. The title of this page is misleading, as there is really no information on generating passwords with crypt(3) *directly*.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s