Securely change user password using shell script to automate this task on these rare occasions.
Encrypt user password
Encrypt password using SHA256 algorithm with random salt.
$ printf "mypassword1" | mkpasswd --stdin --method=sha-256 $5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5
Encrypt password using SHA512 algorithm with defined salt.
$ printf "mypassword2" | mkpasswd --stdin --method=sha-512 --salt "KdN5Re3X2X18" $6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0
The available encryption algorithms are DES, MD5, and SHA256 or SHA512.
You do not need to spectify particular encryption algorithm as it will use PAM to encrypt password.
$ cat /etc/pam.d/common-password # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password [success=1 default=ignore] pam_unix.so obscure sha256 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
As you can see, SHA512 algorithm will be used by default.
Change user password
Change password for particular user.
Use single quotes to preserve the literal value of each character within the quotes.
$ printf 'milosz:$5$TE9qUgZsrPH2B$Z6leshvNS1M2POmcyNec5liVfY17efGUUEHS0CdyPh6' | sudo chpasswd --encrypted
Change passwords for multiple users using here document.
Use single quotes to disable parameter substitution.
$ sudo chpasswd --encrypted << 'EOF' milosz:$5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5 michal:$6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0 EOF
Change passwords for multiple users using simple password file.
$ cat users.txt milosz:$5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5 michal:$6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0
$ cat users.txt | sudo chpasswd --encrypted