1. Overview

In this tutorial, we’ll look at the hashing methods used by Linux to hash the user’s passphrase.

2. The User Accounts File Store

In Linux, the /etc/passwd and /etc/shadow files are important as they are the main files that store our user account information and hashed passwords.

2.1. The /etc/passwd File

The /etc/passwd file is the text file that stores the user account information. A typical passwd file contains rows of records that store the information of different users:

$ sudo cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
bob:x:1000:1000:,,,:/home/bob:/bin/bash

We see that each record contains fields that store the username, hashed password, UID, GID, GECOS, home path, and login shell.

From the passwd documentation, the second field is supposed to store the hashed user password. But this is only true for older Linux systems, where hashed user passwords are stored in the passwd file. In newer Linux, the hashed passwords are stored in the /etc/shadow file. In turn, the hashed password field in the /etc/passwd file is filled with the x character.

2.2. Why Do We Need /etc/shadow File?

One important constraint about the /etc/passwd file is that it has to be readable by all the users in the system. This is because a lot of applications rely on the passwd file to perform their functions.

For instance, when we run ls, the command needs to resolve the numerical UID to its corresponding username by referring to the passwd file. Therefore, we can see that if we store the hashed password in the /etc/passwd file, it can largely increase the surface of the attack on the system.

To reduce the attack surface on the system, newer Linux introduced the /etc/shadow file to store all the hashed passwords. It achieves better security by restricting reads and writes of the file to the root user only.

2.3. Structure of the /etc/shadow File

Let’s inspect the file using the cat command:

$ sudo cat /etc/shadow 
root:*:19268:0:99999:7:::
daemon:*:19268:0:99999:7:::
bin:*:19268:0:99999:7:::
sys:*:19268:0:99999:7:::
sync:*:19268:0:99999:7:::
games:*:19268:0:99999:7:::
man:*:19268:0:99999:7:::
lp:*:19268:0:99999:7:::
mail:*:19268:0:99999:7:::
news:*:19268:0:99999:7:::
uucp:*:19268:0:99999:7:::
proxy:*:19268:0:99999:7:::
www-data:*:19268:0:99999:7:::
backup:*:19268:0:99999:7:::
list:*:19268:0:99999:7:::
irc:*:19268:0:99999:7:::
gnats:*:19268:0:99999:7:::
nobody:*:19268:0:99999:7:::
_apt:*:19268:0:99999:7:::
bob:$y$j9T$zPF7Mu9FkqYygaL1ZUgzb1$hRpI0KXcQEvyUrRWHmfYgCw0GEOMXPsKh2iKI5rz/I7:19301:0:99999:7:::

Each line in the file represents a single account and its password information in nine colon-separated fields. The first line is usually the root account. Then, it’s followed by system accounts and then user accounts.

In the file, we can see that the root user and all of the system users have an asterisk in the hashed password field. This means we cannot log in as these users with the UNIX password mechanism.

For our user bob at the last entry, it has a hashed passphrase value of $y$j9T$zPF7Mu9FkqYygaL1ZUgzb1$hRpI0KXcQEvyUrRWHmfYgCw0GEOMXPsKh2iKI5rz/I7. This hashed value is produced by the crypt function in Linux when we set the passphrase for the user using the passwd command.

3. The crypt Function

In Linux, user passphrases are hashed using the crypt function, and then the hashed passphrases are stored in the shadow file.

The hashed passphrase follows a specific format:

$id$salt$hashedpassword

The id is the hashing method used when hashing the passphrase. For example, if the hash value is produced by yescrypt, the ID will be y, and 6 if the sha512crypt method is used. For a complete list of hashing methods and their ID, we can refer to the file format of the crypt function documentation.

By comparing the hashed passphrase of bob we saw earlier with the format, we can see that the ID of the hashing method is y. In other words, our passphrase for user account bob is hashed using the yescrypt method.

4. Changing the Hashing Method

To change the hashing method for hashing the passphrase, we can look at the /etc/pam.d/common-password file. This file contains a line that configures the hashing method used for hashing passphrases. Specifically, we can look at the line with the text pam_unix.so.

$ cat /etc/pam.d/common-password | grep pam_unix.so
password        [success=1 default=ignore]      pam_unix.so obscure yescrypt

We can change the hashing method by replacing the yescrypt argument with another supported hashing method by editing the /etc/pam.d/common-password. For instance, we can change the hashing method to sha512crypt:

$ sudo sed -i 's/yescrypt/sha512crypt/g' /etc/pam.d/common-password

To see it in effect, we change the passphrase for user bob and inspect the value in the /etc/shadow file again:

$ sudo cat /etc/shadow | grep bob
bob:$6$qHfjZ3ABkgCP1UDg$lXwdE7G.GPfSJLwqvDuCvqnFSWow8jI2e0I71gYF3QWpF.PeUyiuAm/VJ8iRj77.2yshaMPvp96XL5hiJtljL/:19302:0:99999:7:::

The hashing method ID is now 6 which corresponds to the ID of sha512crypt.

5. Conclusion

In this article, we’ve taken a look at the hashing of a user’s passphrase in Linux. We started off with inspecting the /etc/shadow file which keeps all the hash passphrases of users in the system. Then, we looked at the format of the hashed passphrase which contains information about the hashing method. Finally, we’ve also seen how we can change the hashing method by editing the /etc/pam.d/common-password file.