currently making a little analysis on the authentication based on password on linux, i understood the following :
users passwords hashes are stored in /etc/shadow, with the salt used to generate them. The id also provide the algorithm used to get the hash. To verify if a password is correct, we pass the id and the salt to the crypt function, generate a temporary hash and compare it to the hash registered.
However, when you create a new user for example, you need to populate that shadow file with hash and salt. Hash is of course obtained by calling crypt function, but i can't figure out how is the salt generated when invoking that crypt function.
Indeed, from what i have read and understoof of the libc code relative to crypt function, there is nothing relative to generate a random salt. We can provide crypt with a random salt we have created by hand when creating a new user, but we almost always create users without providing salts for their password hashing.
So, how is that salt generated the first time when creating a user? Is /dev/random used?
I would appreciate some code or commands in the answer.
thanks!
DEV/URANDOMis the right source to read from, but different algorithms may have different requirements for the salt (BCrypt for example accepts only characters of a given alphabet). – martinstoeckli./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. The newerpassword_hash()function accepts any salt, but transforms it to this alphabet (if necessary) before calling the crypt function. – martinstoeckli