antoncohen
commented
10 years ago $6$ means SHA-512. rounds=40000 means the hashing algorithm is run 40000 times, increasing the time required to compute it. The salt is between the next two $, 'X..2gnD51IrNt//F' in your first example. If the salt, rounds, and password are the same, the hash would also be the same.
passlib allows you to specify the salt and number of rounds if you want: http://pythonhosted.org/passlib/lib/passlib.hash.sha512_crypt.html
In the below example I show how you can set the salt, and get the same hash doing so, and how you can set the number of rounds:
>>> import getpass
>>> from passlib.hash import sha512_crypt
>>> sha512_crypt.encrypt('foo', salt='123')
'$6$rounds=60000$123$Nr4e87Pjy6jt70BzHtSyRgpiisZcAyOk5B1u3PFHXDSzt0c5rwckyiMFk19k6cWCDUBW6.3eQi3qIu/imSRjz/'
>>> sha512_crypt.encrypt('foo', salt='123')
'$6$rounds=60000$123$Nr4e87Pjy6jt70BzHtSyRgpiisZcAyOk5B1u3PFHXDSzt0c5rwckyiMFk19k6cWCDUBW6.3eQi3qIu/imSRjz/'
>>> sha512_crypt.encrypt('foo', rounds=10000)
'$6$rounds=10000$HDk5C75r4r5HU0cg$hMdlmH7qoQ9mAhGLIcLK8uUfno7aTBCq3xJ43IBJFk3TQmr4dQIuYTgjj5IoYmtNiKCA4EL.ueVnnr6ai/agn0'
>>> sha512_crypt.encrypt('foo', rounds=10000)
'$6$rounds=10000$j4oGCy1i2guDmRnD$iQ0SBsDp6sLTBF2gn7De1m40DJni.f9RR18xQhZtysi2iniwnb0FYN1VFYeD1oID7KMN0cprW/We2GpyUv5Si1'
Nice script. I noticed something odd though. I copied your script to a brand new CentOS 6.5 server to /usr/bin/mksha I installed python-passlib as stated in dependency.
As far as I know $6 is a SHA hash between the next 2 dollar signs is the salt... then after that is the hash.... this way if the same salt is used again in combo with the password it should generate the same hash... What I'm noticing is that the "salt" is staying the same "rounds=40000" and the hash is changing.
Here were 3 runs using "foobar" as the password:
Maybe this is correct, I've just never seen "english" words in a hash like this before.
Thanks