3

I'm trying to mimic the creation of password strings as they appear in /etc/shadow.

This is what I've got so far, but the encrypted passwords don't match, when I use the same password and the same salt.

5000 rounds is standard for crypt, so I used that as well, but I don't see where exacly I made a mistake:

I'm doing this in Perl, this is the relevant porion:

($pass, $salt) = @ARGV;

unless(defined($salt)) {
    $salt = MIME::Base64::encode(random_bytes(12), '');
}

for $i (1 .. 4999) {
    $pass = Digest::SHA::sha512($salt, $pass);
}

say "";

print '$6$', $salt, '$', Digest::SHA::sha512_base64($salt, $pass), "\$\n";
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
polemon
  • 4,722
  • 3
  • 37
  • 48

2 Answers2

2

The crypt algorithm involves a lot more than just re-hashing 5,000 times:

LukeH
  • 263,068
  • 57
  • 365
  • 409
  • Yeah, I was expecting something like this. Thanks, I'll read through it and accept if it's what I'm looking for. – polemon Sep 24 '10 at 11:36
  • The document say: "2. the password string is added to digest A. 3. the salt string is added to digest A." Does that mean, that first I append the salt to the password string? If so, that would be the other way round for MD5, which prefixes passwords with salt. – polemon Sep 24 '10 at 11:42
  • Ok, I'm getting there, I also cross checked with http://www.eglibc.org/cgi-bin/viewcvs.cgi/branches/eglibc-2_9/libc/crypt/sha512-crypt.c?rev=7350&view=markup, interestingly, there are some documentation errors... I don't quite get the last part, where he makes the Base64, is that reversed byte order? – polemon Sep 26 '10 at 03:15
1
perl -e 'print crypt("qwerty", "\$6\$somesalt\$")'
Anton Shevtsov
  • 1,279
  • 4
  • 16
  • 34