1

I am looking for changing my centos password by using passwd with encryption.

echo "Password1" | passwd --stdin username

But if I'm using with above method, user will see what my password is. Does someone know how can I make "Password1" to be encrypted?

Sokphak
  • 13
  • 1
  • 5
  • I presume you're trying to do this in a batched manner? If not, how about just `passwd username`? – MadHatter Oct 22 '13 at 08:27
  • I'm trying to do remotely and require to use only one line. – Sokphak Oct 22 '13 at 08:30
  • Why? I don't mean to criticise, but questions like this often reveal underlying assumptions or constraints that are questionable at best. – MadHatter Oct 22 '13 at 08:36
  • Do you mean it is easy or you don't know? – Sokphak Oct 22 '13 at 08:40
  • 1
    Neither. I mean that I suspect there is no good reason to do it in one line; if there is, the nature of those business constraints may affect possible solutions (at the moment, I'm thinking sending a `crypt`ed string to `usermod -p`). Unless, of course, this is a homework question; we don't totally frown on those, but it's considered polite to declare them in the question. – MadHatter Oct 22 '13 at 08:41
  • oh, we have server as the control panel and alot clients connect via VPN. So we need to send command to those client to change password. – Sokphak Oct 22 '13 at 08:44
  • 1
    Why does that mean it has to be done in one line? If what you really mean is "*I need to set a password in a non-interactive session*", that would be a subtly (but signficantly) different question. – MadHatter Oct 22 '13 at 08:45
  • Sorry, I may use the wrong expression then. just want to make it simple – Sokphak Oct 22 '13 at 08:47

1 Answers1

2

At the moment, I think your best bet is to pass the hashed password to the client, instead of the plaintext one.

Locally, hash the password with

hashpass=openssl passwd -1 -salt sssss ppppppppppp

Then tell the remote client

usermod -p $hashpass username

where sssss is a random salt, ppppppppppp is the desired password, and username is the user whose password is to be reset. Ensuring the correct passage of $hashpass is also something you will need to attend to.

If you run the openssl command on the command line, you'll see how it returns a hashed password string rather than the plaintext password. This is still not completely secure, but a lot better than having a plaintext password on the CLI. I also note that this uses md5 hashing, which is considered weak. I can't currently find a way of producing a sha-hashed password from the command line; if you can, that would be better.

MadHatter
  • 79,770
  • 20
  • 184
  • 232