Search code examples
hashsha1netbsd

netbsd - weird hash format for sha1


On my NetBSD system, there is a password hash in master.passwd that looks like this:

$sha1$[5 numbers]$[8 letters]$[17 alpha numeric].[10 alpha numeric]

For privacy concerns I left out the actual values. Would someone be willing to explain the different parts of this? I was under the impression that SHA1 resulted in 20 bytes, so I was very confused about what part was the actual hash, and what part was the salt, and what part everything else was.


Solution

  • The relevant parts can be found in NetBSD src/lib/libcrypt.

    For the format: crypt-sha1.c

    The format of the encrypted password is:
    $<tag>$<iterations>$<salt>$<digest>
    where:
        <tag>       is "sha1"
        <iterations>    is an unsigned int identifying how many rounds
                have been applied to <digest>.  The number
                should vary slightly for each password to make
                it harder to generate a dictionary of
                pre-computed hashes.  See crypt_sha1_iterations.
        <salt>      up to 64 bytes of random data, 8 bytes is
                currently considered more than enough.
        <digest>    the hashed password.
    

    The digest is 160 bits = 20 bytes, but it is encoded using base64 (4 bytes for 3 source bytes) to 28 bytes (with one zero padding byte). See util.c for that.