In this tutorial, we’ll look at the hashing methods used by Linux to hash the user’s passphrase.
2. The User Accounts File Store
In Linux, the /etc/passwd and /etc/shadow files are important as they are the main files that store our user account information and hashed passwords.
2.1. The /etc/passwd File
The /etc/passwd file is the text file that stores the user account information. A typical passwd file contains rows of records that store the information of different users:
$ sudo cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin bob:x:1000:1000:,,,:/home/bob:/bin/bash
We see that each record contains fields that store the username, encrypted password, UID, GID, GECOS, home path, and login shell.
From the passwd documentation, the second field is supposed to store the encrypted user password. But this is only true for older Linux systems, where encrypted user passwords are stored in the passwd file. In newer Linux, the encrypted passwords are stored in the /etc/shadow file. In turn, the encrypted password field in the /etc/passwd file is filled with the x character.
2.2. Why Do We Need /etc/shadow File?
One important constraint about the /etc/passwd file is that it has to be readable by all the users in the system. This is because a lot of applications rely on the passwd file to perform their functions.
For instance, when we run ls, the command needs to resolve the numerical UID to its corresponding username by referring to the passwd file. Therefore, we can see that if we store the hashed password in the /etc/passwd file, it can largely increase the surface of the attack on the system.
To reduce the attack surface on the system, newer Linux introduced the /etc/shadow file to store all the encrypted passwords. It achieves better security by restricting the read and write of the file to the root user only.
2.3. Structure of the /etc/shadow File
Let’s inspect the file using the cat command:
$ sudo cat /etc/shadow root:*:19268:0:99999:7::: daemon:*:19268:0:99999:7::: bin:*:19268:0:99999:7::: sys:*:19268:0:99999:7::: sync:*:19268:0:99999:7::: games:*:19268:0:99999:7::: man:*:19268:0:99999:7::: lp:*:19268:0:99999:7::: mail:*:19268:0:99999:7::: news:*:19268:0:99999:7::: uucp:*:19268:0:99999:7::: proxy:*:19268:0:99999:7::: www-data:*:19268:0:99999:7::: backup:*:19268:0:99999:7::: list:*:19268:0:99999:7::: irc:*:19268:0:99999:7::: gnats:*:19268:0:99999:7::: nobody:*:19268:0:99999:7::: _apt:*:19268:0:99999:7::: bob:$y$j9T$zPF7Mu9FkqYygaL1ZUgzb1$hRpI0KXcQEvyUrRWHmfYgCw0GEOMXPsKh2iKI5rz/I7:19301:0:99999:7:::
Each line in the file represents a single account and its password information in nine colon-separated fields. The first line is usually the root account. Then, it’s followed by system accounts and then user accounts.
In the file, we can see that the root user and all of the system users have an asterisk in the encrypted password field. This means we cannot log in as these users with the UNIX password mechanism.
For our user bob at the last entry, it has a hashed passphrase value of
$y$j9T$zPF7Mu9FkqYygaL1ZUgzb1$hRpI0KXcQEvyUrRWHmfYgCw0GEOMXPsKh2iKI5rz/I7. This hashed value is produced by the crypt function in Linux when we set the passphrase for the user using the passwd command.
3. The crypt Function
In Linux, user passphrases are hashed using the crypt function before they are stored in the shadow file.
The hashed passphrase follows a specific format:
The id is the ID of the hashing method used when hashing the passphrase. For example, if the hash value is produced by yescrypt, the ID will be y, and 6 if the sha512crypt method is used. For a complete list of hashing methods and their ID, we can refer to the file format of the crypt function documentation.
By comparing the hashed passphrase of bob we saw earlier with the format, we can see that the ID of the encryption method is y. In other words, our passphrase for user account bob is hashed using the yescrypt method.
4. Changing the Hashing Method
To change the hashing method for hashing the passphrase, we can look at the /etc/pam.d/common-password file. This file contains a line that configures the hashing method used for hashing passphrases. Specifically, we can look at the line with the text pam_unix.so.
$ cat /etc/pam.d/common-password | grep pam_unix.so password [success=1 default=ignore] pam_unix.so obscure yescrypt
We can change the hashing method by replacing the yescrypt argument with another supported hashing method by editing the /etc/pam.d/common-password. For instance, we can change the hashing method to sha512crypt:
$ sudo sed -i 's/yescrypt/sha512crypt/g' /etc/pam.d/common-password
To see it in effect, we change the passphrase for user bob and inspect the value in the /etc/shadow file again:
$ sudo cat /etc/shadow | grep bob bob:$6$qHfjZ3ABkgCP1UDg$lXwdE7G.GPfSJLwqvDuCvqnFSWow8jI2e0I71gYF3QWpF.PeUyiuAm/VJ8iRj77.2yshaMPvp96XL5hiJtljL/:19302:0:99999:7:::
The hashing method ID is now 6 which corresponds to the ID of sha512crypt encryption.
In this article, we’ve taken a look at the hashing of a user’s passphrase in Linux. We started off with inspecting the /etc/shadow file which keeps all the hash passphrases of users in the system. Then, we looked at the format of the hashed passphrase which contains information about the hashing method. Finally, we’ve also seen how we can change the hashing method by editing the /etc/pam.d/common-password file.