[j-nsp] Format of SHA1 Passwords

Mark Felder feld at feld.me
Tue Dec 3 12:16:05 EST 2013



On Tue, Dec 3, 2013, at 10:46, Chip Marshall wrote:
> On 2013-12-03, Chris Morrow <morrowc at ops-netman.net> sent:
> > > I get things like "$sha1$19418$aoTClyGU$cix8MhZsXwG6OrwUgeHAoOA8f.AX"
> > > where it appears to have the format, some number, what I think is
> > > the salt, and then the hash.
> > > 
> > > Anyone know how these things are calculated?
> > 
> > we do this calculation.... I believe your intended format is:
> >   $1$salt$hash
> > 
> > or that seems to be what our code does.
> 
> That's for MD5 passwords. I have a requirement to use SHA-1.
> 

JunOS is based on FreeBSD, and FreeBSD doesn't support SHA-1 password
hashes. Your choices are:

DES: (no identifier)
MD5: $1$ 
Blowfish: $2$
NTHASH: $3$
SHA256: $5$
SHA512: $6$ (likely not supported as it's recent to FreeBSD)

And how to generate a hash (just change the identifier; it will create
the right hash):

python -c "import crypt, getpass, pwd; print crypt.crypt('password',
'\$1\$SALTsalt\$')"

Just make sure you use a different salt for each password.


More information about the juniper-nsp mailing list