When it comes to passwd/user-password-crypted
statement in a preseed file, most examples use an MD5 hash. Example:
# Normal user's password, either in clear text #d-i passwd/user-password password insecure #d-i passwd/user-password-again password insecure # or encrypted using an MD5 hash. #d-i passwd/user-password-crypted password [MD5 hash]
From Debian's Appendix B. Automating the installation using preseeding.
A few sources show that it's also possible to use SHA-512:
Try using a hashed password like this:
$ mkpasswd -m sha-512
[…]
And then in your preseed file:
d-i passwd/user-password-crypted password $6$ONf5M3F1u$bpljc9f1SPy1w4J2br[...]
From Can't automate user creation with preseeding on AskUbuntu.
This is slightly better than MD5, but still doesn't resist well against brute force and rainbow tables.
What other algorithms can I use? For instance, is PBKDF2 supported, or am I limited by the algorithms used in /etc/shadow
, that is MD5, Blowfish, SHA-256 and SHA-512?
Best Answer
You can use anything which is supported in the /etc/shadow file. The string given in the preseed file is just put into /etc/shadow. To create a salted password to make it more difficult just use mkpasswd with the salt option (-S):
In the command above the salt is generated by pwgen.