Re: Passwords

[davenull@tuxfamily.org]

Hello

On 2023-01-17 08:58, Tim Woodall wrote:
> On Tue, 17 Jan 2023, Stanislav Vlasov wrote:
>
> > ??, 17 ???. 2023 ?. ? 11:01, David <david.g_jones@ntlworld.com>:
> >
> > > I have forgotten my password to a Debian PC using an SD stick as it's
> > > main drive.
> >
> > > Looking on the internet it says the passwords are stored in 
> > > /etc/passwd
> > > and /etc/shadow
> >
> > In /etc/shadow only password's hashes, some data, one-way calculated
> > from password string.
> >
> > > The password string in /etc/shadow looks as if it's encoded, how can 
> > > I
> > > read this string?
> >
> > You can't.
> > But you can set new password, if you boot from live-usb/live-cd, mount
> > your system to dir and run `chroot dir && passwd $user`
>
> One other thing you can do if you don't have a quick and easy way to
> boot is to manually replace the hash in /etc/shadow with one that you 
> do
> know the password for. (This might be the case, for example, where the
> USB stick is for booting ARM but all your other machines are x86, 
> mount,
> change password, umount is much quicker than trying to work out how to
> live boot a headless arm system...)

No, don't do that. It's requires to do more steps manually and might 
lead to less security. And you need to make sure to use you use 
cryptographic salt. crypt, the utility used to set passwords stored in 
/etc/shadow, use salts. There is just to many things you could do wrong, 
especially if you use a different tool to henerate the password and 
trust it default settings.

For instance, you might choose (or use by default) the "wrong" 
encryption when you generate the password, which might by less secure 
than the default one. For instance, I just realised after readding this 
thread and checking, Debian 11 now uses yescrypt ($y$ prefix, see 
crypt(5) man entry: `man 5 crypt`). If I replaced the hash manually, I 
would probably used an older encryption algo without realizing it…

You're better off editing /etc/shadow and remove instead of replacing 
the second field, which is the hash with it's encryption identifier 
prefix ($*$) of the salted password. Then boot and log into your 
now-passwordless user account, then set a password again, as you would 
normally normally, using `passwd` command.

IMPORTANT NOTE: Not sure if you need to edit /etc/passwd to remove the 
second field as well, the "x" that indicated a hidden/hashed password is 
used/expected, before rebooting to re-set your password. Last time I did 
that, multiples "debian-stable-versions ago", I remove it "just in case" 
as it doesn't cost anything whether it's necessary or not.

> This is something I did in ancient times when most systems still used
> crypt and the system I was having problems with was the only one (so
> far) that had been converted to use SHA? hashes. I replaced root's 
> hash,
> which I'd forgotten with that of my user account, which I did know.
>
> And if you don't have any hashes that you know the password for then 
> ask
> here, someone can generate one for you - or see this thread:
>
> https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow
>
> Obviously manually editing these files isn't something to be done
> without care. I always have backups so worst case is "restore from
> backup" and not "I've lost everything"