Languages and Scripting

Re: password encryption (makekey)

Go to solution
Frequent Advisor

password encryption

I was successfull in encrypting the password in v3 using


/usr/sbin/usermod -p $(perl -e"print crypt('user1123','xxxxxxxx')") -F testid19


but -p option is available only in HP-UX 11 i v3.


but i have to change user password in HP-UX 11i v1 and v2.


Is there any option ???

Patrick Wallek
Honored Contributor

Re: password encryption

On HP-UX 11.11 and 11.23 try using the /usr/sam/lbin/usermod.sam command.


The syntax is a bit different, but it will still work.


# ./usermod.sam -?
Unrecognized Option '?'
Usage: usermod.sam [-p <passwd> [-u <uid> [-o]] [-g <group> [-G <group>[,<group...> [-d <dir> [-m]] [-s <shell>] [-c <comment>] [-f <inactive>] [-e <expire>] [-l <new logname>] <login>


Where the '-p <passwd>' is the encrypted password.  For example:


# /usr/sam/lbin/usermod.sam -p abc123 pwallek


# cat /tcb/files/auth/p/pwallek


And notice that my encrypted password is now abc123.



Frequent Advisor

Re: password encryption




I have tried using below and successfull,but i am not sure what is the use of 66 in password.


#export user=testuser
# export pass=testuser66
# /usr/sam/lbin/usermod.sam -p `echo $pass | /usr/lbin/makekey` $user


without using 66 in passowrd, I am not successful..


what is the use of 66 ?

Frequent Advisor

Re: password encryption



/usr/sam/lbin/usermod.sam -p abc123 pwallek


but when i tried above option, the password is not getting encrypted and when i check the status with passwd -s username,still user account is locked.


I am not using trusted system.

Frequent Advisor

Re: password encryption




#/usr/sam/lbin/usermod.sam -p abc123 testuser
# passwd -s testuser

testuser  LK    06/20/13    0  91



password status is still locked.


I am not able to login.

Patrick Wallek
Honored Contributor

Re: password encryption

In my post above, I said -- Where the '-p <passwd>' is the encrypted password.


You have to pass the encrypted password to the command.  This command does NOT encrypt the password for you.


My example with my id was to show that the string passed to the '-p' option would show up EXACTLY the same in the password field which means NO encryption is done. 

Frequent Advisor

Re: password encryption

# /usr/sam/lbin/usermod.sam -p `echo ABcd@123466 | /usr/lbin/makekey` testuser


what is the use of 66 in password filed.



when i leave out 66,i am not successful .


and when i use 66 in password field ,i am successful and the password set is ABcd@1234


but 66 is not taken in to password filed.


what is the reason.





Dennis Handly
Acclaimed Contributor

Re: password encryption (makekey)

>echo ABcd@123466 | /usr/lbin/makekey


makekey(1) says the first 8 chars are the password and the next two are the salt.

Frequent Advisor

Re: password encryption (makekey)

HI Dennis,



I do read the man page .. Thanks for info.


but My problem is ,, I am trying to change the password by script.



echo "------------------------------------------------------------" >> ${PWD2LOG}
echo "Start : `date +\"%Y/%m/%d %H:%M:%S\"` \n" >> ${PWD2LOG}

WORKDAY=`date +%Y%m%d`

echo "User : ${USERNAME}   Pass : ${PASSWD}\n" >> ${PWD2LOG}
#echo $PASSWD
#sleep 5
if [ "${USERNAME}" != "" ];then
if [ "${PASSWD}" != "" ];then

echo "Crypting the given password"  >> ${PWD2LOG}

#/usr/sbin/usermod -p $(perl -e"print crypt('$PASSWD','xxxxxxxx')") -F $USERNAME

/usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME


if [ $? != 0 ];then
echo "\nERROR. PASSWD change faild" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
echo  "`hostname`: ERROR. PASSWD change failed"
echo  "\n Passwd Set OK." >> ${PWD2LOG}
echo "return 0" >> ${PWD2LOG}
echo  "`hostname`: Passwd Set OK." >> ${PWD2LOG}
#echo "0"
echo  "\nERROR.  PASSWD param not set" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
echo  "`hostname`: ERROR. PASSWD param not set"
echo "\nERROR. USER param not set" >> ${PWD2LOG}
 echo "return 1" >> ${PWD2LOG}
      echo "`hostname`: ERROR. USER param not set"
      echo "\n End  : `date +\"%Y/%m/%d %H:%M:%S\"`" >> ${PWD2LOG}
echo "------------------------------------------------------------" >> ${PWD2LOG}
exit 0



in /usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME


when I am executing it manually, I am sucessfull and account is able to log in the server.


but when i am trying to use it across script,account is still locked.


since i guess there is some mistake in exporting the password filelds .


any suggestion to fix the issue.

Honored Contributor

Re: password encryption

The traditional crypt(3C) Unix password encryption (= what the makekey command does) is technically known as a type of "salted hash".


The "salt" is a value used to modify the encryption process, to make it harder to reverse. The salt should usually be chosen randomly when the password is encrypted for storage.

The crypt(3C) algorithm takes a maximum of 8 characters as a password + 2 characters of salt.

So in your example, the password will be "ABcd@123", the salt will be "46" and the extra "6" at the end will simply be ignored.

(You could have replaced the "66" in your example with just "6" and still would have got the same result. The makekey command wants exactly 10 characters: if it gets less than that, it will fail. If it gets more than that, it gets the first 10 and ignores the rest.)


For each different salt value, the password will be encrypted in a different way. So it will be hard to confirm if someone else has the same password as you by simply comparing the encrypted passwords: if that other person has a different salt value, then the encryption result will be totally different, even if the actual password is the same.

Since the crypt(3C)-style password encryption is not effectively reversible, the password cannot be decrypted for checking. Instead, when the user enters his/her password into the password prompt at login, the user-entered password will also be encrypted, and then the encryption result will be compared with the stored encrypted password. But to make this comparision valid, the user-entered password must be encrypted using the same salt value as the stored password.

To make this possible, the salt must be stored unencrypted: it will be the first two characters in the encrypted password field.


I don't have a HP-UX system available at the moment, so I don't have the "makekey" command. But modern versions of OpenSSL also have a password encryption function, which handles several well-known password algorithms, including crypt(3C):


$ openssl passwd -crypt -salt 46 ABcd@123

I think this is exactly the same as the value you got from the "makekey" command in your example, right?

As you can see, the salt appears unencrypted at the beginning of the encrypted result. This command makes it more obvious, as the salt must be entered using a separate option.


If the -salt option is not used, the "openssl passwd" command will choose the salt value randomly, so the encryption result will be different each time:

$ openssl passwd -crypt ABcd@123
$ openssl passwd -crypt ABcd@123
$ openssl passwd -crypt ABcd@123