[CentOS] EL7, grub-crypt?

Wed Aug 27 23:58:18 UTC 2014
Jitse Klomp <jitseklomp at gmail.com>

2014-08-28 1:15 GMT+02:00 Darod Zyree <darodzyree at gmail.com>:

> 2014-08-28 0:51 GMT+02:00 David Goldsmith <dgoldsmith at sans.org>:
>
> > On Aug 27, 2014, at 6:37 PM, Darod Zyree <darodzyree at gmail.com> wrote:
> >
> > > 2014-08-27 16:07 GMT+02:00 Baptiste Agasse <
> > baptiste.agasse at lyra-network.com
> > >> :
> > >
> > >>
> > >>
> > >> ----- Mail original -----
> > >>> Hi,
> > >>>
> > >>> Whats the new way of creating sha512 passwords in EL7?
> > >>
> > >>
> > >>
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html#sec-Password_Encryption
> > >>
> > >>> In Centos6 I used grub-crypt but that does not exist anymore.
> > >>> _______________________________________________
> > >>> CentOS mailing list
> > >>> CentOS at centos.org
> > >>> http://lists.centos.org/mailman/listinfo/centos
> > >>>
> > >>
> > >> --
> > >> Baptiste AGASSE
> > >> Lyra Network, Service Systèmes et Réseaux
> > >> 109 Rue de l'innovation, 31670 Labège - France
> > >> Tél: (+33)5.67.22.31.87
> > >> Fax: (+33)5.67.22.31.61
> > >> Mail: baptiste.agasse at lyra-network.com
> > >> Site: http://www.lyra-network.com
> > >> _______________________________________________
> > >> CentOS mailing list
> > >> CentOS at centos.org
> > >> http://lists.centos.org/mailman/listinfo/centos
> > >>
> > >
> > > But this is for creating passwords for grub2, no?
> > >
> > > I was asking (altough might not have been clear enough) on how to get
> the
> > > encrypted values for the shadow file entries.
> > > grub-crypt used to be able to do that, returning with the encrypted
> value
> > > of a given passphrase starting with $6$
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> >
> >
> > Its the default hash used on EL7 by the “passwd” command.
> >
> > [root at centos7 etc]# grep dgoldsmith /etc/shadow
> > dgoldsmith:$6$IoGARIF2$44lyu/9VjFmGsOW (line truncated)
> >
> > [root at centos7 etc]# tail -3 /etc/login.defs
> > # Use SHA512 to encrypt password.
> > ENCRYPT_METHOD SHA512
> >
> > --
> > David Goldsmith
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> >
> Right, sha512 was default for rhel6 too.
>
>
> Am I failing to understand something?
>
> So, lets say I create a new user account, and it was that password (going
> against all common password policies) to be "tree"
> without using passwd how do i get the sha512 encrypted value of that
> password "tree"
>

This thread on Server Fault[1] suggests the following one-liner:​

​python -c 'import crypt; print crypt.crypt("tree", "$6$random_salt")'​


 - Jitse

​[1]
http://serverfault.com/questions/330069/how-to-create-an-sha-512-hashed-password-for-shadow